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Abstract 

The  use  of  Craig  interpolants  has  enabled  the  development  of  powerful  hardware  and  software  model  check¬ 
ing  techniques.  Efficient  algorithms  arc  known  for  computing  interpolants  in  rational  and  real  linear  arith¬ 
metic.  We  focus  on  subsets  of  integer  linear  arithmetic.  Our  main  results  arc  polynomial  time  algorithms 
for  obtaining  proofs  of  unsatisfiability  and  interpolants  for  conjunctions  of  linear  diophantine  equations, 
lineal-  modular  equations  (linear  congruences),  and  linear  diophantine  disequations.  We  show  the  utility  of 
the  proposed  interpolation  algorithms  for  discovering  modular/divisibility  predicates  in  a  counterexample 
guided  abstraction  refinement  (CEGAR)  framework.  This  has  enabled  verification  of  simple  programs  that 
cannot  be  checked  using  existing  CEGAR  based  model  checkers. 


1  Introduction 


The  use  of  Craig  interpolation  [12]  has  led  to  powerful  hardware  [23]  and  software  [17]  model  checking 
techniques.  In  [23]  the  idea  of  interpolation  is  used  for  obtaining  over-approximations  of  the  reachable 
set  of  states  without  using  the  costly  image  computation  (existential  quantification)  operations.  In  [17,  18] 
interpolants  arc  used  for  finding  the  right  set  of  predicates  in  order  to  rule  out  spurious  counterexamples.  An 
interpolating  theorem  prover  performs  the  task  of  finding  the  interpolants.  Such  provers  arc  available  for  var¬ 
ious  theories  such  as  propositional  logic,  rational  and  real  linear  arithmetic  and  equality  with  uninterpreted 
functions  [24,  33,  19,  18,  28,  20,  10]. 

Efficient  algorithms  are  known  for  computing  interpolants  in  rational  and  real  linear  arithmetic  [24,  28, 
10].  Lineal-  arithmetic  formulas  where  all  variables  are  constrained  to  be  integers  are  said  to  be  formulas 
in  (pure)  integer  linear  arithmetic  or  LA( Z),  where  Z  is  the  set  of  integers.  There  are  no  known  efficient 
algorithms  for  computing  interpolants  for  formulas  in  LA( Z).  This  is  expected  because  checking  the  satis¬ 
fiability  of  conjunctions  of  atomic  formulas  in  LA( Z)  is  itself  NP-hard.  We  show  that  for  various  subsets  of 
LA{ Z)  one  can  compute  proofs  of  unsatisfiability  and  interpolants  efficiently. 

Informally,  a  linear  equation  where  all  variables  are  integer  variables  is  said  to  be  a  linear  diophantine 
equation  ( LDE ).  A  linear  modular  equation  ( LME )  or  a  linear  congruence  over  integer  variables  is  a  type  of 
lineal'  equation  that  expresses  divisibility  relationships.  A  system  of  LDEs  (LMEs)  denotes  conjunctions  of 
LDEs  (LMEs).  Both  LDEs  and  LMEs  arise  naturally  in  program  verification  when  modeling  assignments 
and  conditional  statements  as  logical  formulas.  These  subsets  of  LA( Z)  are  also  known  to  be  tractable, 
that  is,  polynomial  time  algorithms  are  known  for  deciding  systems  of  LDEs  and  LMEs.  We  study  the 
interpolation  problem  for  LDEs  and  LMEs. 

Given  formulas  F,  G  such  that  F  A  G  is  unsatisfiable.  An  interpolant  for  the  pair  (F,  G)  is  a  formula 
I(F,G)  with  the  following  properties:  (i)  F  implies  I(F,G),  (ii)  I(F,G)  A  G  is  unsatisfiable,  and  (iii) 
I(F,  G)  refers  only  to  the  common  variables  of  F  and  G.  This  paper  presents  the  following  new  results. 

•  F,G  denote  a  system  of  LDEs:  We  show  that  I(F.  G)  can  be  obtained  in  polynomial  time  by  using  a 
proof  of  unsatisfiability  of  F  A  G.  The  interpolant  can  be  either  a  LDE  or  a  LME.  This  is  because  in 
some  cases  there  is  no  I(F,  G)  that  is  a  LDE.  In  these  cases,  however,  there  is  always  an  I(F.  G)  in 
the  form  of  a  LME.  (Section  3) 

•  F,G  denote  a  system  of  LMEs:  We  obtain  I (F.  G)  in  polynomial  time  by  using  a  proof  of  unsatisfia¬ 
bility  of  FAG.  We  can  ensure  that  I(F.  G)  is  a  LME.  (Section  4) 

•  Let  S  denote  an  unsatisfiable  system  of  LDEs.  The  proof  of  unsatisfiability  of  S  can  be  obtained  in 
polynomial  time  by  using  the  Hermite  Normal  Form  of  S  (represented  in  matrix  form).  A  system  of 
LMEs  R  can  be  reduced  to  an  equi-satisfiable  system  of  LDEs  R' .  The  proof  of  unsatisfiability  for  R 
is  easily  obtained  from  the  proof  of  unsatisfiability  of  R! .  (Section  5) 

•  Let  S  denote  a  system  of  LDEs.  We  show  that  if  S  has  an  integral  solution,  then  every  LDE  that  is 
implied  by  S,  can  be  obtained  by  a  linear  combination  of  equations  in  S.  We  show  that  S  is  convex 
[25],  that  is,  if  S  implies  a  disjunction  of  LDEs,  then  it  implies  one  of  the  equations  in  the  disjunction. 
In  contrast,  conjunctions  of  atomic  formulas  in  LA( Z)  are  not  convex  due  to  inequalities  [25].  These 
results  help  in  efficiently  dealing  with  linear  diophantine  disequations  (LDDs).  (Section  6) 

•  Let  S  =  S i  A  S-2,  where  S\  is  a  system  of  LDEs,  while  S-2  is  a  system  of  LDDs.  We  say  that  S'  is  a 
system  of  LDEs+LDDs.  We  show  that  S  has  no  integral  solution  if  and  only  if  ,S)  A  So  has  no  rational 
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solution  or  Si  has  no  integral  solution.  This  gives  a  polynomial  time  decision  procedure  for  checking 
if  S  has  an  integral  solution.  If  S  has  no  integral  solution,  then  the  proof  of  unsatisfiability  of  S  can 
be  obtained  in  polynomial  time.  (Section  6) 

•  F,G  denote  a  system  of  LDEs+LDDs:  We  show  I(F,  G )  can  be  obtained  in  polynomial  time.  The 
interpolant  can  be  an  LDE,  an  LDD,  or  an  LME.  (Section  6) 

•  We  show  the  utility  of  our  interpolation  algorithms  in  counterexample  guided  abstraction  refinement 
(CEGAR)  based  verification  [11].  Our  interpolation  algorithm  is  effective  at  discovering  modu¬ 
lar/divisibility  predicates,  such  as  3x  +  y  +  2z  =  1  ( mod  4),  from  spurious  counterexamples.  This 
has  allowed  us  to  verify  programs  that  cannot  be  verified  by  existing  hardware  and  software  model 
checkers.  (Section  7) 

Polynomial  time  algorithms  arc  known  for  solving  (deciding)  a  system  of  LDEs  [29,  7]  and  LMEs 
(by  reduction  to  LDEs)  over  integers.  We  do  not  give  any  new  algorithms  for  solving  a  system  of  LDEs 
or  LMEs.  Instead  we  focus  on  obtaining  proofs  of  unsatisfiability  and  interpolants  for  systems  of  LDEs, 
LMEs,  LDEs+LDDs.  We  only  consider  conjunctions  of  LDEs,  LMEs,  LDEs+LDDs.  Interpolants  for  any 
(unsatisfiable)  Boolean  combinations  of  LDEs  can  also  be  obtained  by  calling  the  interpolation  algorithm 
for  conjunctions  of  LDEs+LDDs  multiple  times  in  a  satisfiability  modulo  theory  (SMT)  framework  [10]. 
However,  computing  interpolants  for  Boolean  combinations  of  LMEs  is  difficult.  This  is  due  to  linear 
modular  disequations  (LMDs).  We  can  show  that  even  the  decision  problem  for  conjunctions  of  LMDs  is 
NP-hard. 

All  proofs  arc  present  in  the  appendix  of  this  paper. 

1.1  Related  work 

It  is  known  that  Presburger  arithmetic  (PA)  allows  quantifier  elimination  [26].  Kapur  et  al.  [19]  show  that 
a  recursively  enumerable  theory  allows  quantifier-free  interpolants  if  and  only  if  it  allows  quantifier  elimi¬ 
nation.  The  systems  of  LDEs,  LMEs,  LDEs+LDDs  arc  subsets  of  PA.  Thus,  the  existence  of  quantifier-free 
interpolants  for  these  systems  follows  from  [19].  However,  quantifier  elimination  for  PA  has  an  exponential 
complexity  and  does  not  immediately  yield  efficient  algorithms  for  computing  interpolants.  We  give  poly¬ 
nomial  time  algorithms  for  computing  proofs  of  unsatisfiability  and  interpolants  for  systems  (conjunctions) 
of  LDEs,  LMEs,  LDEs+LDDs. 

Let  Si,  Si  denote  conjunctions  of  atomic  formulas  in  LA(h).  Suppose  ,S)  A  Si  is  unsatisfiable.  Pudlak 
[27]  shows  how  to  compute  an  interpolant  for  (Si,  So )  by  using  a  cutting-plane  (CP)  proof  of  unsatisfiability. 
The  CP  proof  system  is  a  sound  and  complete  way  of  proving  unsatisfiability  of  conjunctions  of  atomic 
formulas  in  LA( Z).  However,  a  CP  proof  for  a  formula  can  be  exponential  in  the  size  of  the  formula. 
Pudlak  does  not  provide  any  guarantee  on  the  size  of  CP  proofs  for  a  system  of  LDEs  or  LMEs.  Our  results 
show  that  polynomially  sized  proofs  of  unsatisfiability  and  interpolants  can  be  obtained  for  systems  of 
LDEs,  LMEs  and  LDEs+LDDs. 

McMillan  [24]  shows  how  to  compute  interpolants  in  the  combined  theory  of  rational  linear  arithmetic 
LA(Q)  and  equality  with  uninterpreted  functions  £UF  by  using  proofs  of  unsatisfiability.  Rybalchenko  and 
Sofronie-Stokkermans  [28]  show  how  to  compute  interpolants  in  combined  LA(Q),  FIAT  and  real  linear 
arithmetic  LA(W)  by  using  linear  programming  solvers  in  a  black-box  fashion.  The  key  idea  in  [28]  is  to 
use  an  extension  of  Farkas  lemma  [29]  to  reduce  the  interpolation  problem  to  constraint  solving  in  LA(Q) 
and  LA(M).  Cimatti  et  al.  [10]  show  how  to  compute  interpolants  in  a  satisfiability  modulo  theory  (SMT) 
framework  for  LA(Q),  rational  difference  logic  fragment  and  EUF .  By  making  use  of  state-of-the-art  SMT 
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algorithms  [14]  they  obtain  significant  improvements  over  existing  interpolation  tools  for  LA(Q)  and  EUT . 
Yorsh  and  Musuvathi  [33]  give  a  Nelson-Oppen  [25]  style  method  for  generating  interpolants  in  a  combined 
theory  by  using  the  interpolation  procedures  for  individual  theories.  Kroening  and  Weissenbacher  [20] 
show  how  a  bit-level  proof  can  be  lifted  to  a  word-level  proof  of  unsatisfiability  (and  interpolants)  for 
equality  logic. 

To  the  best  of  our  knowledge  the  work  in  [24,  33,  28,  20,  10]  is  not  complete  for  computing  interpolants 
in  LA( Z)  or  its  subsets  such  as  LDEs,  LMEs,  LDEs+LDDs.  That  is,  the  work  in  [24,  33,  28,  20,  10]  cannot 
compute  interpolants  for  formulas  that  are  satisfiable  over  rationals  but  unsatisfiable  over  integers.  Such  for¬ 
mulas  can  arise  in  both  hardware  and  software  verification.  We  give  sound  and  complete  polynomial  time 
algorithms  for  computing  interpolants  for  conjunctions  of  LDEs,  LMEs,  LDEs+LDDs.  Efficient  interpola¬ 
tion  algorithms  for  LDEs,  LMEs,  LDEs+LDDs  are  also  crucial  in  order  to  develop  practical  interpolating 
theorem  provers  for  LA(X)  and  bit-vector  arithmetic  [13,  6,  5,  15,  21,  9,  16,  8]. 

2  Notation  and  preliminaries 

We  use  capital  letters  A,  B,  C.  X.Y,  Z, . . .  to  denote  matrices  and  formulas.  A  matrix  M  is  integral  (ratio¬ 
nal)  iff  all  elements  of  M  are  integers  (rationals).  For  a  matrix  M  with  m  rows  and  n  columns  we  say  that 
the  size  of  M  is  m  x  n.  A  row  vector  is  a  matrix  with  a  single  row.  A  column  vector  is  a  matrix  with  a  single 
column.  We  sometimes  identify  a  matrix  M  of  size  1  x  1  by  its  only  element.  If  A ,  B  arc  matrices,  then 
AB  denotes  matrix  multiplication.  We  assume  that  all  matrix  operations  arc  well  defined  in  this  paper.  For 
example,  when  we  write  AB  without  specifying  the  sizes  of  matrices  A ,  B,  it  is  assumed  that  the  number  of 
columns  in  A  equals  the  number  of  rows  in  B. 

For  any  rational  numbers  a  and  (3,  a\(5  if  and  only  if,  a  divides  6.  that  is,  if  and  only  if  f3  =  \a  for  some 
integer  A.  We  say  that  a  is  equivalent  to  f3  modulo  7  written  as  a  =  /3  ( mod  7)  if  and  only  if  7|(o:  —  /)).  We 
say  7  is  the  modulus  of  the  equation  a  =  (3  ( mod  7) .  We  allow  a,  /3, 7  to  be  rational  numbers.  If  07 , . . . ,  an 
arc  rational  numbers,  not  all  equal  to  0,  then  the  largest  rational  number  7  dividing  each  of  ai, , . . ,  an  exists 
[29],  and  is  called  the  greatest  common  divisor,  or  gcd  of  07 , ,an  denoted  by  gcd(a±, . . . ,  an).  We 
assume  that  gcd  is  always  positive. 

Basic  Properties  of  Modular  Arithmetic:  Let  a,  b,  c,  d ,  m  be  rational  numbers. 

PI.  a  =  a  ( mod  m )  (reflexivity). 

P2.  a  =  b  ( mod  m)  implies  b  =  a  ( mod  m )  (symmetry). 

P3.  a  =  b  ( mod  m )  and  b  =  c  ( mod  m)  imply  a  =  c  ( m.od  m )  (transitivity). 

P4.  If  a  =  b  ( mod  m),  c  =  d  ( mod  m),  and  x,  y  are  integers,  then  ax  +  cy  =  bx  +  dy  ( mod  m)  (integer 
lineal-  combination). 

P5.  If  c  >  0  then  a  =  b  ( mod  m)  if,  and  only  if,  ac  =  be  ( mod  me). 

P6.  If  a  =  b,  then  a  =  b  ( mod  m)  for  any  m. 

Example  1  Observe  that  x  =  0  ( mod  1)  for  any  integer  x.  Also  observe  from  P5  (with  c  =  2)  that 
2^  =  0  ( mod  1)  if  and  only  if  x  =  0  ( mod  2). 

A  linear  diophantine  equation  (LDE)  is  a  lineal'  equation  c\x\  +  . . .  +  cnxn  =  co,  where  x  1 .... ,  xn  are 
integer  variables  and  cp, ,  cn  are  rational  numbers.  A  variable  xr  is  said  to  occur  in  the  LDE  if  c,  /  0.  We 
denote  a  system  of  m  LDEs  in  a  matrix  form  as  CX  =  D,  where  C  denotes  an  m  x  n  matrix  of  rationals, 
X  denotes  a  column  vector  of  n  integer  variables  and  D  denotes  a  column  vector  of  m  rationals.  When  we 
write  a  (single)  LDE  in  the  form  CX  =  D,  it  is  implicitly  assumed  that  the  sizes  of  C,  X ,  D  are  of  the  form 
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1  x  n,  n  x  1,1  x  1,  respectively.  A  variable  is  said  to  occur  in  a  system  of  LDEs  if  it  occurs  in  at  least  one 
of  the  LDEs  in  the  given  system  of  LDEs. 

A  linear  modular  equation  ( LME )  has  the  form  c\X\  +  . . .  +  cnxn  =  cq  ( mod  l ),  where  xi, . . . xn  are 
integer  variables,  co, . . . ,  cn  are  rational  numbers,  and  l  is  a  rational  number.  We  call  /  the  modulus  of  the 
LME.  Allowing  l  to  be  a  rational  number  allows  for  simpler  proofs  and  covers  the  case  when  l  is  an  integer. 
For  brevity,  we  write  a  LME  t  =  c  ( mod  l)  by  t  =i  c.  A  variable  xt  is  said  to  occur  in  a  LME  if  l  does  not 
divide  C{. 

A  system  of  LDEs  (LMEs)  denotes  conjunctions  of  LDEs(LMEs).  If  F,  G  arc  a  system  of  LDEs  (LMEs), 
then  F  A  G  is  also  a  system  of  LDEs  (LMEs). 

2.1  Craig  Interpolants 

Given  two  logical  formulas  F  and  G  in  a  theory  T  such  that  F  A  G  is  unsatisfiable  in  T .  An  interpolant  I 
for  the  ordered  pair  ( F,  G)  is  a  formula  such  that 

(1)  F  =►  L  in  T 

(2)  I  A  G  is  unsatisfiable  in  T 

(3)  I  refers  to  only  the  common  variables  of  A  and  B. 

The  interpolant  I  can  contain  symbols  that  arc  interpreted  by  T .  In  this  paper  such  symbols  will  be  one  of 
the  following:  addition  (+),  equality  (=),  modular  equality  for  some  rational  number  m  (=m),  disequality 
(/),  and  multiplication  by  a  rational  number  (x).  The  exact  set  of  interpreted  symbols  in  the  interpolant 
depends  on  T. 


3  System  of  linear  diophantine  equations  (LDEs) 

In  this  section  we  discuss  proofs  of  unsatisfiability  and  interpolation  algorithm  for  LDEs.  The  following 
theorem  from  [29]  gives  a  necessary  and  sufficient  condition  for  a  system  of  LDEs  to  have  an  integral 
solution. 

Theorem  1  (Schrijver  [29])  A  system  of  LDEs  CX  =  I)  has  no  integral  solution  for  X,  if  and  only  if  there 
exists  a  rational  row  vector  R  such  that  RC  is  integral  and  RD  is  not  an  integer. 

Definition  1  We  say  a  system  of  LDEs  CX  =  D  is  unsatisfiable  if  it  has  no  integral  solution  for  X.  For 
a  system  of  LDEs  CX  =  D  a  proof  of  unsatisfiability  is  a  rational  row  vector  R  such  that  RC  is  integral 
and  RD  is  not  an  integer. 


In  section  5  we  describe  how  a  proof  of  unsatisfiability  R  can  be  obtained  in  polynomial  time  for  an  unsat¬ 
isfiable  system  of  LDEs.  (We  show  in  the  appendix  I  that  R  can  be  converted  to  a  polynomially  sized  proof 
in  a  cutting-plane  proof  system  [29,  7].) 


Example  2  Consider  the  system  of  LDEs  CX  =  D  and  a  proof  of  unsatisfiability  R: 


'  1 

1 

0  ' 

X 

'  1 ' 

CX  =  D:  = 

1 

-1 

0 

y 

= 

1 

0 

2 

2 

z 

3 

±L  L 2 ’  2 >  2 

RC  =  [0,2,1] 
RD  =  | 
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Example  3  Consider  the  system  of  LDEs  CX  =  D  and  a  proof  of  unsatisfiability  It: 


CX  =  D  := 


1  -2 

1  0 


0 

-2 


X 

'  0  ' 

y 

— 

1 

z 

L 2  ’  2J 

RC  =  [1,-1,-1] 
RD  =  \ 


The  above  examples  will  be  used  as  running  examples  in  the  paper. 

Definition  2  (Implication)  A  system  of  LDEs  CX  =  D  implies  a  (single)  LDE  AX  =  B,  if  every  integral 
vector  X  satisfying  CX  =  D  also  satisfies  AX  =  B. 

Similarly,  CX  =  D  implies  a  (single)  LME  AX  =m  B,  if  every  integral  vector  X  satisfying  CX  =  D 
also  satisfies  AX  =m  B. 


Lemma  1  (Linear  combination )  For  every  rational  row  vector  U  the  system  of  LDEs  CX  =  D  implies  the 
LDE  UCX  =  UD.  Note  that  UCX  =  UD  is  simply  a  linear  combination  of  the  equations  in  CX  =  D. 
The  system  CX  =  D  also  implies  the  LME  UCX  =m  UD  for  any  rational  number  m. 

Example  4  The  system  of  LDEs  CX  =  D  in  Example  3  implies  the  LDE  [^,  \\CX  =  [^,  \\D,  which 
simplifies  to  x  —  y  —  z  =  The  system  CX  =  D  also  implies  the  LME  x  —  y  —  z  =m  |  for  any  rational 
number  m. 


3.1  Computing  interpolants  for  systems  of  LDEs 

Let  F  A  G  denote  an  unsatisfiable  system  of  LDEs.  The  following  example  shows  that  an  unsatisfiable 
system  of  LDEs  does  not  always  have  an  LDE  as  an  interpolant. 

Example  5  Let  F  :=  x  —  2y  =  0  and  G  :=  x  —  2z  =  1.  Intuitively,  F  expresses  the  constraint  that  x  is  even 
and  G  expresses  the  constraint  that  x  is  odd,  thus,  F  A  G  is  unsatisfiable.  We  gave  a  proof  of  unsatisfiability 
of  F  A  G  in  Example  3.  Observe  that  the  pair  (F,  G)  does  not  have  any  quantifier-free  interpolant  that  is 
also  a  LDE.  The  problem  is  that  the  interpolant  can  only  refer  to  the  variable  x.  We  can  prove  (using  Lemma 
6  or  see  Appendix  A)  that  there  is  no  formula  I  of  the  form  c\x  +  =  0,  where  ci,  C2  arc  rational  numbers, 

such  that  F  =>•  I  and  I  A  G  is  unsatisfiable. 

As  shown  by  the  above  example  it  is  possible  that  there  exists  no  LDE  that  is  an  interpolant  for  (F,  G).  We 
show  that  in  this  case  the  system  (F.  G)  always  has  an  LME  as  an  interpolant.  In  the  above  example  an 
interpolant  will  be  x  =2  0.  Intuitively,  the  interpolant  means  that  x  is  an  even  integer. 

We  now  describe  the  algorithm  for  obtaining  interpolants.  Let  AX  =  A',BX  =  IT  be  systems  of 
LDEs,  where  X  =  [xi, . . . ,  xn]  is  a  column  vector  of  n  integer  variables.  Suppose  the  combined  system  of 
LDEs  AX  =  A’  ABX  =  IT  is  unsatisfiable.  We  want  to  compute  an  interpolant  for  ( AX  =  A1 .  BX  =  IT). 
Let  R  =  [R\,  R/f\  be  a  proof  of  unsatisfiability  of  AX  =  AT  A  BX  =  B '  according  to  definition  1.  Then 

R.\  A  +  R2B  is  integral  and  R\A'  +  R2 IT  is  not  an  integer. 

Recall  that  a  variable  is  said  to  occur  in  a  system  of  LDEs  if  it  occurs  with  a  non-zero  coefficient  in  one  of 
the  equations  in  the  system  of  LDEs.  Let  Vab  Q  X  denote  the  set  of  variables  that  occur  in  both  AX  =  A! 
and  BX  =  B' ,  let  V,\\  B  —  TO  denote  the  set  of  variables  occurring  only  in  AX  =  A'  (and  not  in  BX  =  B'), 
and  let  Vb\a  —  X  denote  the  set  of  variables  occurring  only  in  BX  =  B'  (and  not  in  AX  =  A'). 
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We  call  the  LDE  R\AX  =  R\  A'  a  partial  interpolant  for  (AX  =  A’,BX  =  B').  It  is  a  linear 
combination  of  equations  in  AX  =  A'.  The  partial  interpolant  R\AX  =  II \  A1  can  be  written  in  the 
following  form 

y;  aiXi  +  22  hxi = c  (i) 

xi^vA\B  XievAB 

where  all  coefficients  a*,  b,  and  c  =  R \  A1  are  rational  numbers.  Observe  that  the  partial  interpolant  does 
not  contain  any  variable  that  occurs  only  in  BX  =  B’  ( Vb\a )• 

Lemma  2  The  coefficient  a*  of  each  xt  G  Va\b  ln  the  partial  interpolant  R\  AX  =  R,\  A'  (Equation  1)  is 
an  integer. 

Lemma  3  The  partial  interpolant  R\  AX  =  R\  A'  satisfies  the  first  two  conditions  in  the  definition  of  an 
interpolant.  That  is, 

1.  AX  =  A'  implies  R\  AX  =  Tl\A' 

2.  (R\AX  =  R\  A')  A  BX  =  If  is  unsatisfiable 

If  ai  =  0  for  all  Xi  G  (equation  1 ),  then  the  partial  interpolant  only  contains  the  variables  from  Vab- 

In  this  case  the  partial  interpolant  is  an  interpolant  for  (AX  =  A' ,  BX  =  B'). 

The  proof  of  above  lemmas  arc  given  in  the  appendix  A. 

Example  6  Consider  the  system  of  LDEs  CX  =  D  in  Example  2.  A  proof  of  unsatisfiability  for  this  system 
is  R  =  [^,  —  |].  Let  AX  =  A!  be  the  first  two  equations  in  CX  =  D ,  that  is,  x+y=lRx—  y  =  1 

(in  matrix  form).  Let  BX  =  B'  be  the  third  equation  in  CX  =  I),  that  is,  2 y  +  2z  =  3.  Observe  that 
Va\b  '■=  {a-}-  Vab  '■=  {y},  Vb\a  '■=  {%}•  In  this  case  Ri  =  [\,  —  \\-  The  partial  interpolant  for  the  pair 
(AX  =  A',  BX  =  B')  is  y  =  0,  which  is  also  an  interpolant  because  y  e  Vab- 

The  following  example  shows  that  a  partial  interpolant  need  not  be  an  interpolant. 

Example  7  Consider  the  system  CX  =  D  in  Example  3.  A  proof  of  unsatisfiability  for  this  system  is 
R  =  [2,5].  Let  AX  =  A'  be  the  first  equation  in  CX  =  D,  that  is,  x  —  2y  =  0.  Let  BX  =  B'  be  the 
second  equation  in  CX  =  D ,  that  is,  x  —  2 z  =  1.  Observe  that  V^\B  :=  {2/},  Vab  '■=  {^},  Vb\a  '■=  {z}- 
In  this  case  R\  =  [|]-  Thus,  the  partial  interpolant  for  the  pair  (AX  =  A' ,BX  =  B ')  is  (jx  —  y  =  0. 
Observe  that  the  partial  interpolant  is  not  an  interpolant  as  it  contains  the  variable  y,  which  does  not  occur  in 
Vab-  This  is  not  surprising  since  we  have  already  seen  in  Example  5  that  (x  —  2y  =  0.  x  —  2z  =  1)  cannot 
have  an  interpolant  that  is  a  LDE. 

We  now  intuitively  describe  how  to  remove  variables  from  the  partial  interpolant  that  arc  not  common  to 
AX  =  A'  and  BX  =  B' .  In  example  7  the  partial  interpolant  is  \x  —  y  =  0,  where  y  f  Vab-  We  show 
how  to  eliminate  y  from  \x  —  y  =  0  in  order  to  obtain  an  interpolant.  We  use  modular  arithmetic  in  order  to 
eliminate  y.  Informally,  the  equation  \x  —  y  =  0  implies  ^x  —  y  =  0  (mod  7)  for  any  rational  number  7. 
Let  a  denote  the  greatest  common  divisor  of  the  coefficients  of  variables  (in  \x  —  y  =  0)  that  do  not  occur  in 
Vab-  In  this  example  a  =  1  (gcd  of  the  coefficient  of  y).  We  know  \x  —  y  =  Oimplies  \x  —  y  =  0  (mod  1). 
Since  y  is  an  integer  variable  y  =  0  (mod  1).  We  can  add  \x  —  y  =  0  (mod  1)  and  y  =  0  (mod  1)  to  obtain 
2 a;  =  0  (mod  1)  (note  that  y  is  eliminated).  Intuitively,  the  linear  modular  equation  ^x  =  0  (m.od  1)  is  an 
interpolant  for  (x  —  2y  =  0,  x  —  2z  =  1).  By  using  basic  modular  arithmetic  this  interpolant  can  be  written 
as  x  =  0  (mod  2). 

We  now  formalize  the  above  intuition  to  address  the  case  when  the  part ial  interpolant  contains  variables 
that  are  not  common  to  AX  =  A'  and  BX  =  If . 
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Theorem  2  Assume  that  the  coefficient  a,i  of  at  least  one  Xi  £  Va\b  in  the  partial  interpolant  (Equation  1) 
is  not  zero.  Let  a  denote  the  gcd  of  {ai\xi  £  Va\b}- 

(a)  a  is  an  integer  and  a  >  0. 

( b)  Let  (3  be  any  integer  that  divides  a.  Then  the  following  linear  modular  equation  Ip  is  an  interpolant  for 
{AX  =  A',BX  =  B'). 

Ip  :=  biXi  =  c  {mod  (3) 

Xi&Vab 

Observe  that  Ip  contains  only  variables  that  are  common  to  both  AX  =  A'  and  BX  =  If.  It  is  obtained 
from  the  partial  interpolant  by  dropping  all  variables  occurring  only  in  AX  =  A'  (  Va\b)  and  replacing  the 
linear  equality  by  a  modular  equality. 


The  proof  can  be  found  in  the  appendix  A.2.  In  theorem  2,  I\  is  always  an  interpolant  for  (AX  = 
A',  BX  =  If).  For  a  >  1  theorem  2  allows  us  to  obtain  multiple  interpolants  by  choosing  different  (3.  For 
any  (3  that  divides  a,  Ia  =>•  Ip  and  Ip  =>•  I\.  Depending  upon  the  application  one  can  use  the  strongest 
interpolant  Ia  (least  satisfying  assignments)  or  the  weakest  interpolant  I\  (most  satisfying  assignments). 
The  next  example  illustrates  the  use  of  Theorem  2  in  obtaining  multiple  interpolants. 


Example  8  Consider  the  system  of  LDEs  CX  =  D  and  a  proof  of  unsatisfiability  R: 


CX  =  D  :  = 


'  30 

4  ' 

X 

'  2 ' 

0 

1 

.  v . 

2 

~  L 5 >  5 . 

RC  =  [6, 1] 
RD  =  I 


Let  AX  =  A'  be  the  first  equation  in  CX  =  D,  that  is,  30x  +  4 y  =  2  (in  matrix  form).  Let  BX  =  B'  be  the 
second  equation  in  CX  =  D ,  that  is,  y  =  2.  Observe  that  Va \b  :=  { x },  Vab  '■=  {y},  Vb\a  '■=  0-  In  this 
case  R\  =  [|],  The  pai'tial  interpolant  R\AX  =  R.\  A'  for  the  pair  {AX  =  A',  BX  =  B')  is  6.x  +  =  |. 

The  pai'tial  interpolant  is  not  an  interpolant  as  it  contains  the  vai'iable  x,  which  does  not  occur  in  Vab- 
Using  Theorem  2  we  can  obtain  four  interpolants  for  the  pair  {AX  =  Af ,  BX  =  If  ): 


h 


h 


h 


h 


5V=15 
4  2 

-i 

5' 

4 

-i 

51 

4  2 
5y=65 


5y^2  5 


5y=3  5 


Jg  implies  all  other  interpolants.  That  is,  I,  =>•  I3,  Iq  =a  1 2. 1,  =>  Ii-  h  is  implied  by  all  other  interpolants. 
That  is,  /2  =>  h,h  =4*  h,h  =>  I\. 


Lemma  3  and  Theorem  2  give  us  a  sound  and  complete  algorithm  for  computing  an  interpolant  for  unsatis- 
fiable  systems  of  LDEs.  (See  Appendix  A.  3  for  the  algorithm  pseudocode.) 


4  System  of  linear  modular  equations  (LMEs) 

In  this  section  we  discuss  proofs  of  unsatisfiability  and  interpolation  algorithm  for  LMEs.  We  first  consider 
a  system  of  LMEs  where  all  equations  have  the  same  modulus  l,  where  /  is  a  rational  number.  We  denote  this 
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system  as  CX  =/  D,  where  C  denotes  an  m  x  n  rational  matrix,  X  denotes  a  column  vector  of  n  integer 
variables  and  D  denotes  a  column  vector  of  rn  rational  numbers.  The  next  theorem  gives  a  necessary  and 
sufficient  condition  for  CX  =j  D  to  have  an  integral  solution. 

Theorem  3  The  system  CX  =i  D  has  no  integral  solution  X  if  and  only  if  there  exists  a  rational  row  vector 
R  such  that  RC  is  integral,  IR.  is  integral,  and  RD  is  not  an  integer.  Note  that  IR  denotes  the  row  vector 
obtained  by  multiplying  each  element  of  R  by  rational  number  l.  (The  size  of  R  is  1  X  m.) 

The  proof  uses  reduction  to  LDEs.  See  the  appendix  B.  1  for  the  proof. 

Definition  3  We  say  a  system  ofLMEs  CX  =/  D  is  unsatisfiable  if  it  has  no  integral  solution  X.  A  proof 
of  unsatisfiability  for  a  system  ofLMEs  CX  =/  D  is  a  rational  row  vector  R  such  that  RC  is  integral,  IR 
is  integral,  and  RD  is  not  an  integer. 

Example  9  Consider  the  system  of  LMEs  CX  =g  D  and  a  proof  of  unsatisfiability  R: 

P>  _  r i  _ i  _ii 

L  4  ’  2’  8-1 

RC  =  [-1,0] 

IR  =  [2, -4,-1] 

RD  =  -| 

Intuitively,  CX  =g  D  is  unsatisfiable  because  we  can  take  an  integer  linear  combination  of  the  given 
equations  using  IR  to  get  a  contradiction  0  =g  —12. 

Definition  4  (Implication )  A  system  ofLMEs  CX  =/  D  implies  a  LME  AX  =/  B,  if  every  integral  vector 
X  satisfying  CX  =i  D  also  satisfies  AX  =/  B. 

Lemma  4  For  every  integral  row  vector  U  the  system  ofLMEs  CX  =/  D  imply  U  CX  =/  UD. 

4.1  Computing  interpolants  for  systems  of  LMEs 

Let  AX  =i  A'  and  BX  =i  B'  be  two  systems  of  LMEs  such  that  AX  =/  A'  A  BX  =i  B'  is  unsatisfiable. 
We  show  that  {AX  =j  A',BX  =/  IT)  always  has  an  LME  as  an  interpolant.  Let  R  =  [l?i ,  R/f\  denote 
a  proof  of  unsatisfiability  for  the  system  AX  =/  A'  A  BX  =/  B'  such  that  R\A  +  R2B  is  integral, 
IR  =  l II ] .  IR2]  is  integral,  and  R\A'  +  R2B'  is  not  an  integer.  The  following  theorem  shows  that  we  can 
take  integer  linear  combinations  of  equations  in  AX  =/  A'  to  obtain  interpolants. 

Theorem  4  We  assume  l  f  0.  Let  S\  denote  the  set  of  non-zero  coefficients  of  Xi  €  V4 \b  hi  II  \  AX.  Let 
S-2  denote  the  set  of  non-zero  elements  of  row  vector  IR\.  If  S2  =  0,  then  the  interpolant  for  {AX  =; 
A' ,  BX  =1  B ')  is  a  trivial  LME  0  =1  0.  Other-wise,  let  S2  f  0.  Let  a  denote  the  gcd  of  numbers  in  S\  U  S2. 

(a)  a  is  an  integer  and  a  >  0. 

(b)  Let  (3  be  any  integer  that  divides  a.  Let  U  =  j)Ri-  Then  U  AX  =1  U  A'  is  an  interpolant  for  {AX  =1 
A',  BX  =,  B'). 

The  proof  is  given  in  the  appendix  B.2. 

Example  10  Consider  the  system  of  LMEs  CX  =/  D  in  Example  9.  Let  AX  =/  A ’  denote  the  first  two 
equations  in  CX  =[  D  and  BX  =;  B'  denote  the  last  equation  in  CX  =1  D.  Observe  that  Va\b  '■= 
{y},  Vab  '■=  {^},  Vb\a  '■=  0-  A  proof  of  unsatisfiability  for  CX  =1  D  is  R  =  — §].  We  have 

R\  =  [j,— g],  IRi  =  [2,-4],  R\AX  is  —\x,  S\  =  0,  S2  =  {2,-4},  a  =  2.  We  can  take  [3=1 
or  3  =  2  to  obtain  two  valid  interpolants.  For  (3  =  1,  U  =  [2,  —4]  and  the  interpolant  U AX  =/  U A' 
is  —Ax  =8  —8  (equivalently  x  =2  0).  For  (3  =  2,  U  =  [1,-2]  and  the  interpolant  U AX  =1  U A'  is 
— 2x  =8  —4  (equivalently  x  =4  2). 


CX  =8  D  :  = 


2  2 
2  1 
4  0 


x 

y 


4 

4 

4 


4.2  Handling  LMEs  with  different  moduli 

Consider  a  system  F  of  LMEs,  where  equations  in  F  can  have  different  moduli.  In  order  to  check  the 
satisfiability  of  F,  we  obtain  another  equivalent  system  of  equations  F'  such  that  each  equation  in  F'  has 
the  same  moduli.  This  is  done  using  a  standard  trick  described  in  Mathews  [22].  Let  m i, . . . ,  rriy.  represent 
the  different  moduli  occurring  in  equations  in  F.  Let  rn  denote  the  least  common  multiple  of  mi, . . . ,  //;/-. 
We  multiply  each  equation  t  =mi  c  in  F  by  —  to  obtain  another  equation  —t  =m  —  c.  Let  F'  represent 
the  set  of  new  equations.  All  equations  in  F'  have  same  modulus  rn.  Using  basic  modular  arithmetic  one 
can  show  that  F  and  F1  are  equivalent.  Suppose  F  is  unsatisfiable.  Then  the  interpolants  for  any  partition 
of  F  can  be  computed  by  working  with  F'  and  using  the  techniques  described  in  the  previous  section.  For 
example,  let  F  represent  the  following  system  of  LMEs  x  =2  1  A  x  +  y  =4  2  A  2x  +  y  =§  4.  One  can 
work  with  F'  :=  4x  =g  4  A  2x  +  2y  =§  4  A  2x  +  y  =§  4  instead  of  F. 

5  Algorithms  for  obtaining  Proofs  of  Unsatisfiability 

Polynomial  time  algorithms  are  known  for  determining  if  a  system  of  LDEs  CX  =  D  has  an  integral 
solution  or  not  [29].  We  review  one  such  algorithm  that  is  based  on  the  computation  of  the  Hermite  normal 
form  (HNF)  of  the  matrix  C. 

Using  standard  Gaussian  elimination  it  can  be  determined  if  CX  =  D  has  a  rational  solution  or  not.  If 
CX  =  D  has  no  rational  solution,  then  it  cannot  have  any  integral  solution.  In  the  discussion  below  we 
assume  that  CX  =  D  has  a  rational  solution.  Without  loss  of  generality  we  assume  that  matrix  C  has  full 
row  rank ,  that  is,  all  rows  of  C  arc  linearly  independent  (linearly  dependent  equations  can  be  removed). 

The  HNF  of  a  mxn  matrix  C  with  full  row  rank  is  of  the  form  \E  0]  where  0  represents  an  m  x  (n  —  m) 
matrix  filled  with  zeros  and  E  is  a  square  m  x  m  matrix  with  the  following  properties:  1)  E  is  lower 
triangular  2)  E  is  non-singular  (invertible)  3)  all  entries  in  E  arc  non-negative  and  the  maximum  entry  in 
each  row  lies  on  the  diagonal.  The  HNF  of  a  matrix  can  be  obtained  by  three  elementary  column  operations. 
1)  Exchanging  two  columns.  2)  Multiplying  a  column  by  -1.  3)  Adding  an  integral  multiple  of  one  column 
to  another  column.  Each  column  operation  can  be  represented  by  a  unimodular  matrix.  A  unimodular  matrix 
is  a  square  matrix  with  integer  entries  and  determinant  +1  or  -1.  The  product  of  unimodular  matrices  is  a 
unimodular  matrix.  The  inverse  of  a  unimodular  matrix  is  a  unimodular  matrix.  The  conversion  of  C  to 
HNF  can  be  represented  as  follows  CU  =  \E  0],  where  U  is  a  u ni modular  matrix,  the  sizes  of  C,  U,  E 
arc  m  x  n,  n  x  n,  rn  x  rn,  respectively  and  0  represents  an  rn  x  (n  —  m)  matrix  tilled  with  zeros  (n  >  rn 
because  C  has  full  row-rank).  The  following  result  shows  the  use  of  HNF  in  determining  the  satisfiability 
of  a  system  of  LDEs.  Fet  E~l  denotes  the  matrix  inverse  of  E. 

Lemma  5  (Schrijver  [29])  For  C,  X,  I).  E  defined  as  above,  CX  =  I)  has  no  integral  solution  if  and  only 
if  E~1D  is  not  integral. 

Example  11  For  the  system  of  LDEs  CX  =  D  in  example  2  we  have  the  following: 


C  U  E  E—1  D  not  integral 
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Example  12  For  the  system  of  LDEs  CX  =  D  in  example  3  we  have  the  following: 


r  i.  2  -2  ] 

1  -2  0 

1  0  0 

1  0 

0 

0 

10-2 

0  1-1 

— 

12  0 

-1  1 

l 

— 

1 

' - V - - 

✓ 

_  0  0  -1  _ 

V 

✓  V 

L  2  2  J 

✓  V 

S  V 

L  2 

C  ^  ''  ^  [ E  0]  E~ 1  D  not  integral 


5.1  Obtaining  a  proof  of  unsatisfiability  for  a  system  of  LDEs 

If  a  system  of  LDEs  CX  =  D  is  unsatisfiable,  then  we  want  to  compute  a  row  vector  R  such  that  RC  is 
integral  and  RD  is  not  an  integer.  The  following  corollary  shows  that  the  proof  of  unsatisfiability  can  be 
obtained  by  using  the  HNF  of  C. 

Corollary  1  Given  CX  =  I)  where  C,  D  are  rational  matrices,  and  C  has  full  row  rank.  Let  [E  0]  denote 
the  HNF  of  C.  If  CX  =  D  has  no  integral  solution,  then  E~1D  is  not  integral.  Suppose  the  ith  entry  in 
E~1D  is  not  an  integer.  Let  R!  denote  the  ith  row  in  E~1.  Then  (a)  R'D  is  not  an  integer  and  (b)  R'C  is 
integral.  Thus,  R'  serves  as  the  required  proof  of  unsatisfiability  ofCX  =  D. 

The  proof  is  given  in  the  appendix  C. 

Example  13  In  example  11  the  third  row  in  E~1D  is  not  an  integer.  Thus,  the  proof  of  unsatisfiability  of 
CX  =  D  is  the  third  row  in  E~l  which  is  [0, 0,  \}. 

In  example  12  the  second  row  in  E~1D  is  not  an  integer.  Thus,  the  proof  of  unsatisfiability  of  CX  =  D 
is  the  second  row  in  E which  is  [— |,  ^]- 

Proofs  of  unsatisfiability  for  LMEs  Let  CX  =/  I?  be  a  system  of  LMEs.  Each  equation  t,  =/  di  in 
CX  =i  D  can  be  written  as  an  equi-satisfiable  LDE,  t,  +  Ivt  =  di,  where  vt  is  a  new  integer  variable.  In 
this  way  we  can  reduce  the  given  CX  =i  D  to  an  equi-satisfiable  system  of  LDEs  C' Z  =  D.  The  proof  of 
unsatisfiability  of  C' Z  =  D  is  exactly  a  proof  of  unsatisfiability  of  CX  =i  D  (see  the  proof  of  theorem  3). 

Complexity  If  a  system  of  LDEs  or  LMEs  is  unsatisfiable,  then  we  can  obtain  a  proof  of  unsatisfiability 
in  polynomial  time.  This  is  because  HNF  computation,  matrix  inversion,  and  matrix  multiplication  can  be 
done  in  polynomial  time  in  the  size  of  input  [29,  31].  The  interpolation  algorithms  described  in  Sections  3 
and  4  are  polynomial  in  the  size  of  the  given  formulas  and  the  proof  of  unsatisfiability. 

6  Handling  Linear  Diophantine  Equations  and  Disequations 

We  show  how  to  compute  interpolants  in  presence  of  linear  diophantine  disequations.  A  linear  diophantine 
disequation  (LDD)  is  of  the  form  c.\ x\  +  . . .  +  cnxn  f  cq,  where  co, . . .  ,cn  are  rational  numbers  and 
x  \, ...  ,xri  are  integer  variables.  A  system  of  LDEs+LDDs  denotes  conjunctions  of  LDEs  and  LDDs.  For 
example,  x  +  2 y  =  1  A  x  +  y  f  1  A  2y  +  z  f  1  with  x.  y.  z  as  integer  variables  represents  a  system 
of  LDEs+LDDs.  We  represent  a  conjunction  of  m  LDDs  as  /\™=i  ^  A  Dj,  where  C,  is  a  rational  row 
vector  and  Dl  is  a  rational  number.  The  next  theorem  gives  a  necessary  and  sufficient  condition  for  a  system 
of  LDEs+LDDs  to  have  an  integral  solution. 

Theorem  5  Let  F  denote  AX  =  B  A  /\ -=i  CiX  f  Dj.  The  following  are  equivalent: 

1.  F  has  no  integral  solution 

2.  F  has  no  rational  solution  or  AX  =  B  has  no  integral  solution. 
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The  proof  of  (2)  =>■  (1)  in  Theorem  5  is  easy.  The  proof  of  (1)  =>  (2)  is  involved  and  relies  on  the  following 
lemmas  (full  proof  is  given  in  the  appendix  F).  The  first  lemma  shows  that  if  a  system  of  LDEs  AX  =  B  has 
an  integral  solution,  then  every  LDE  that  is  implied  by  AX  =  B,  can  be  obtained  by  a  linear  combination 
of  equations  in  AX  =  B. 

Lemma  6  A  system  of  LDEs  AX  =  B  implies  a  LDE  EX  =  F  if  and  only  if  AX  =  B  is  unsatisfiable  or 
there  exists  a  rational  vector  R  such  that  E  =  RA  and  F  =  II B. 

We  use  the  properties  of  the  cutting-plane  proof  system  [29,  7]  in  order  to  prove  lemma  6.  The  proof  is 
given  in  the  appendix  D.  The  next  lemma  shows  that  if  a  system  of  LDEs  implies  a  disjunction  of  LDEs, 
then  it  implies  one  of  the  LDEs  in  the  disjunction  (also  called  convexity  [25]). 

Lemma  7  A  system  of  LDEs  AX  =  B  implies  V”=i  GiX  =  I),  if  and  only  if  there  exists  1  <  k  <  m  such 
that  AX  =  B  implies  Or  X  =  Dr- 

We  use  a  theorem  from  [29]  that  gives  a  parametric  description  of  the  integral  solutions  to  AX  =  B  in 
order  to  prove  lemma  7.  See  the  appendix  E  for  the  full  proof.  Let  F  denote  AX  =  B  A  A;=1  CiX  +  Di. 
Using  Theorem  5  we  can  determine  whether  F  has  an  integral  solution  in  polynomial  time.  This  is  because 
checking  if  AX  =  B  has  an  integral  solution  can  be  done  in  polynomial  time  [29,  7].  Checking  whether  the 
system  F  has  a  rational  solution  can  be  done  in  polynomial  time  as  well  [25]. 

6.1  Interpolants  for  LDEs+LDDs 

We  say  a  system  of  LDEs+LDDs  is  unsatisfiable  if  it  has  no  integral  solution.  Consider  systems  of 
LDEs+LDDs  F  :=  F\  A  F2  and  G  :=  C\  A  G'2,  where  F\ .  G\  are  systems  of  LDEs  and  Uj .  G 2  are 
systems  of  LDDs.  F  A  G  represents  another  system  of  LDEs+LDDs.  Suppose  F  A  G  is  unsatisfiable.  The 
interpolant  for  (F.  G)  can  be  computed  by  considering  two  cases  (due  to  theorem  5): 

Case  1:  F  A  G  is  unsatisfiable  because  Tj  A  F2  A  G\  A  G'2  has  no  rational  solution.  We  can  compute  an 
interpolant  for  (F,  G )  using  the  techniques  described  in  [24,  33,  28,  10].  For  completeness  we  describe  this 
case  in  the  appendix  G.  The  interpolant  can  be  a  LDE  or  a  LDD. 

Case  2:  F  A  G  is  unsatisfiable  because  F\  A  G \  has  no  integral  solution.  In  this  case  we  can  compute  an 
interpolant  for  the  pair  (F\,  G 1)  using  the  techniques  from  Section  3.  The  interpolant  for  (F\ .  G \ )  will  be 
an  interpolant  for  ( F.  G ).  It  can  be  a  LDE  or  a  LME. 

7  Experimental  results 

We  implemented  the  interpolation  algorithms  for  conjunctions  of  LDEs,  LMEs,  LDDs  in  a  tool  called  INT2 
( INTeger  INTerpolate ) .  The  experiments  are  performed  on  a  1.86  GHz  Intel  Xeon  (R)  machine  with 
4  GB  of  memory  running  Linux.  INT2  is  designed  for  computing  interpolants  for  formulas  (LDEs,  LMEs, 
LDEs+LDDs)  that  are  satisfiable  over  rationals  but  unsatisfiable  over  integers.  Currently,  there  are  no  other 
interpolation  tools  for  such  formulas. 

7.1  Use  of  Interpolants  in  Verification 

We  wrote  a  collection  of  small  C  programs  each  containing  a  while  loop  and  an  ERROR  label.  These 
programs  are  safe  (ERROR  is  unreachable).  The  existing  tools  based  on  predicate  abstraction  and  coun¬ 
terexample  guided  abstraction  refinement  (CEGAR)  such  as  BLAST  [1,  17],  SATABS  [2]  are  not  able  to 
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Example 

Preds/Interpolants 

VINT2 

exl 

ex2 

ex4 

ex5 

ex6 

ex7 

forbl 

y  =  2  1 
x  +  y  =2  0 
x  +  y  +  z  = 4  0 
x  =4  0,  y  =4  0 

4x  +  2y  +  z  =8  0 

4x  —  2 y  +  z  =222  0 
x  +  y  =  3  0 

2.72s 

0.83s 

0.95s 

1.1s 

0.93s 

0.54s 

Table  1:  Table  showing  the  predicates  needed  and  time  taken  in  seconds. 


Yices  Black-box  Use  (seconds) 

Figure  1 :  Comparing  Hermite  Normal  Form  based  algorithm  and  black-box  use  of  Yices  for  getting  proofs  of  unsat¬ 
isfiability 


verify  these  programs.  This  is  because  the  inductive  invariant  required  for  the  proof  contains  LMEs  as 
predicates,  shown  in  the  “Preds/Interpolants”  column  of  Table  1.  These  predicates  cannot  be  discovered 
by  the  interpolation  engine  [24,  28]  used  in  BLAST  or  by  the  weakest  precondition  based  procedure  used 
in  SATABS.  The  interpolation  algorithms  described  in  this  paper  are  able  to  find  the  right  predicates  by 
computing  the  interpolants  for  spurious  program  traces.  Only  one  unwinding  of  the  while  loop  suffices 
to  find  the  right  predicates  in  6  out  of  7  cases.  In  program  ex5  multiple  unwindings  of  the  while  loop 
produces  predicates  of  the  form  x  =  0,  y  =  4,  x  =  4,  y  =  8, . . ..  After  a  few  unwindings  these  predicates 
are  generalized  to  obtain  x  =4  0,  y  =4  0  (by  taking  gcd  of  the  numbers  involved). 

We  wrote  similar  programs  in  Verilog  and  tried  verifying  them  with  VCEGAR  [3],  a  CEGAR  based 
model  checker  for  Verilog.  VCEGAR  fails  on  these  examples  due  to  its  use  of  weakest  preconditions.  Next, 
we  externally  provided  the  interpolants  (predicates)  found  by  INT2  to  VCEGAR.  With  the  help  of  these  pred¬ 
icates  VCEGAR  is  able  to  show  the  unreachability  of  ERROR  labels  in  all  examples  except  forbl  (ERROR 
is  reachable  in  the  Verilog  version  of  forbl).  The  runtimes  are  shown  in  “VINT2”  column. 
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7.2  Proofs  of  unsatisfiability  (Poll)  algorithms 


We  obtained  459  unsatisfiable  formulas  (system  of  LDEs)  by  unwinding  the  while  loops  for  C  programs 
mentioned  above.  The  number  of  LDEs  in  these  formulas  range  from  3  to  1500  with  2  to  4  variables  per 
equation.  There  arc  two  options  for  obtaining  PoU  in  INT2. 

(a)  Using  Hermite  Normal  Form  (HNF)  (Section  5. 1).  We  use  PARI/GP  [32]  to  compute  HNF  of  matrices. 

(b)  By  using  a  state-of-the-art  SMT  solver  Yices  1.0.11  [4]  in  a  black-box  fashion  (along  the  lines  of 
[28]).  Given  a  system  of  LDEs  AX  =  B  we  encode  the  constraints  that  RA  is  integral  and  RB  is 
not  an  integer  by  means  of  mixed  integer  linear  arithmetic  constraints  (see  the  appendix  J).  The  SMT 
solver  returns  concrete  values  to  elements  in  R  if  AX  =  B  is  unsatisfiable. 

The  comparison  between  (a)  and  (b)  is  shown  in  Figure  1.  There  is  a  timeout  of  1000  seconds  per 
problem.  The  HNF  based  algorithm  is  able  to  solve  all  problems,  while  the  black-box  usage  of  Yices  cannot 
solve  102  problems  within  the  timeout.  Thus,  the  HNF  based  method  is  superior  over  the  black-box  use  of 
Yices. 

We  also  ran  Yices  to  decide  whether  AX  =  B  has  an  integral  solution  or  not.  The  system  AX  =  B  (X 
integral)  is  given  to  Yices.  In  this  case,  Yices  is  very  efficient  and  reports  the  satisfiability  or  unsatisfiability 
of  AX  =  B  quickly.  However,  no  PoU  is  provided  when  AX  =  B  is  unsatisfiable.  In  principle  it  is  possible 
for  Yices  to  provide  a  PoU  when  AX  =  B  is  unsatisfiable  (although  this  will  add  some  overhead). 

Note  that  the  interpolation  algorithms  proposed  in  our  paper  are  independent  of  the  algorithm  used  to 
generate  the  PoU.  Any  decision  procedure  that  can  produce  PoU  according  to  definitions  1,  3  can  be  used 
(we  are  not  restricted  to  using  HNF  or  Yices). 

8  Conclusion 

We  presented  polynomial  time  algorithms  for  computing  proofs  of  unsatisfiability  and  interpolants  for  con¬ 
junctions  of  lineal-  diophantine  equations,  linear  modular  equations  and  linear  diophantine  disequations. 
These  interpolation  algorithms  are  useful  for  discovering  modular/divisibility  predicates  from  spurious 
counterexamples  in  a  counterexample  guided  abstraction  refinement  framework.  In  future,  we  plan  to 
work  on  interpolating  theorem  provers  for  integer  linear  arithmetic  and  bit-vector  arithmetic  and  make  use 
of  the  satisfiability  modulo  theories  framework. 

Acknowledgment.  We  thank  Axel  Legay  and  Jeremy  Avigad  for  their  valuable  comments. 
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A  Proofs  from  Section  3 

Proof  of  Lemma  1 

Proof.  UCX  =  UD  is  a  linear  combination  of  equations  in  CX  =  D.  Let  Xo  be  an  integral  solution  to 
CX  =  D.  It  is  easy  to  verify  that  Xo  also  satisfies  UCX  =  UD.  Thus,  the  system  of  LDEs  CX  =  D 
implies  the  LDE  UCX  =  UD  for  any  rational  row  vector  U . 

Since  UCX q  —  UD  =  0,  any  rational  number  m  divides  UCX o  —  UD.  It  follows  that  Xo  is  also  a 
solution  to  the  LME  U CX  =m  UD.  Thus,  the  system  of  LDEs  CX  =  D  implies  the  LME  UCX  =m  U D 
for  any  rational  row  vector  U  and  rational  number  m.  □ 

Why  F  A  G  has  no  LDE  as  interpolant  in  Example  5. 

Proof.  Recall,  that  F  is  x  —  2y  =  0  and  G  is  x  —  2z  =  1,  where  x,  y,  z  are  integers.  Observe  that  F  has  an 
integral  solution,  for  example,  x  =  2,  y  =  1.  Thus,  by  lemma  6  any  LDE  that  is  implied  by  F  must  be  of 
the  form  r(x  —  2y  =  0),  where  r  is  a  rational  number. 

Suppose  (F,  G )  have  an  LDE  I  as  an  interpolant.  Since  F  =>■  I,  I  must  be  of  the  form  r(x—2y  =  0).  But 
/  can  only  contain  variable  x  (common  variable  of  F  and  G).  This  is  possible  only  when  r  =  0.  With  r  =  0, 
I  reduces  to  0  =  0  which  is  not  unsatisfiable  with  G.  Thus,  (F.  G)  cannot  have  an  LDE  as  an  interpolant.  □ 

Proof  of  Lemma  2 

Proof.  By  definition  of  Va\b  the  coefficient  of  x%  €  Vab  is  zero  in  each  equation  of  BX  =  If .  Thus,  the 
coefficient  of  Xi  €  Va\b  must  be  the  same  in  i?i^4X  and  (R\  A  +  R2B)X.  Since  R\A  +  R2B  is  integral  it 
follows  that  the  coefficient  of  x%  e  Va\b  (<h)  in  the  partial  interpolant  is  an  integer.  □ 


A. l  Proof  of  Lemma  3 

Lemma  3.  The  partial  interpolant  R\AX  =  If  A'  satisfies  the  first  two  conditions  in  the  definition  of  an 
interpolant.  That  is, 

1.  AX  =  A’  implies  R\AX  =  I  f  A’ 

2.  {R\AX  =  I  f  A1)  A  BX  =  Br  is  unsatisfiable 

If  at  =  0  for  all  Xi  6  Va\b  ( equation  1),  then  the  partial  interpolant  is  also  a  interpolant  for  ( AX  = 

B,  A'X  =  B').  In  this  case  the  partial  interpolant  only  contains  the  variables  from  Vab- 

Proof.  1.  AX  =  A'  implies  R\AX  =  I  f  A’ .  This  follows  from  Lemma  1. 

2.  Observe  that  (R\AX  =  R\A’)  A  BX  =  B'  is  a  system  of  LDEs 

RxA!  ' 

B’ 

We  show  that  the  row  vector  [1,  R2\  is  a  proof  of  unsatisfiability  of  I  A  (BX  =  B’).  This  requires  showing 
the  conditions  in  the  definition  of  proof  of  unsatisfiability  arc  met. 


RiA 

B 


X  = 


16 


-  To  show 


[1,^2] 


RiA 

B 


is  integral. 


The  above  product  is  equal  to  R\A  +  R2 B  which  is  integral. 


-  To  show 


[1,^2] 


RxA' 

B' 


is  not  an  integer. 


The  above  product  is  equal  to  R\A'  +  R2B'  which  is  not  an  integer.  Thus,  [1,  R2\  is  a  proof  of  unsatisfia¬ 
bility  of  /  A  (BX  =  B').  So  I  A  (BX  =  B')  is  unsatisfiable.  □ 


A.2  Proof  of  Theorem  2 

Recall  that  rational  row  vector  [R\ ,  R2]  is  the  proof  of  unsatisfiability  of  AX  =  A'  ABX  =  B'  ( A ,  B,  A' ,  B' 
are  rational  matrices)  such  that 


R\A  +  R2B  is  integral 

R,\A'  +  R2B'  is  not  an  integer 

We  call  R\AX  =  R  \  A'  the  partial  interpolant  for  (AX  =  A! ,  BX  =  B').  It  can  be  written  as  follows: 

y  aiXi  +  y  bai  =  c  (2) 

Xi&VA\B  XiGVAB 

where  all  coefficients  a^,  bt  and  c  =  R\A'  are  rational  numbers.  The  above  equation  is  the  same  as  Equation 
1  repeated  here  for  convenience. 

Similarly,  R2BX  =  R2B'  can  be  written  as  follows: 

y  eiXi  +  y  fiXi  =  d  (3) 

Xi&VAB  Xi&VB\A 

where  all  coefficients  e.t .  /,  and  d  =  R2B1  are  rational  numbers.  Observe  that  IRBX  =  R2B1  does  not 
contain  any  variable  from  Va\b- 

Lemma  8  Using  the  notation  from  Equations  2  and  3: 

(a)  For  all  xt  G  Va\R’  ai  is  an  integer. 

(b)  For  all  xt  G  Vab,  bi  +  e*  is  an  integer. 

(c)  For  all  Xi  G  Vb\a>  fi  is  an  integer. 

(d)  c  +  d  is  not  an  integer. 

Proof.  The  sum  of  the  left  hand  sides  of  Equations  2  and  3  is 

y  a^i  +  y  (bi + e^i  +  y 

Xi&VA\B  Xi£VAB  Xi£VB\A 

which  is  the  same  as  (R\A  +  IRBjX.  Since  R\A  +  R2B  is  integral  each  coefficient  in  the  above  sum  must 
be  an  integer.  This  gives  us  the  desired  results  (a),(b),(c). 
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Since  c  +  d  =  R\A'  +  R2B'  and  R\A'  +  R^B'  is  not  an  integer  we  get  (d).  □ 

Theorem  2.  Assume  that  the  coefficient  at  of  at  least  one  Xi  £  Va\b  in  the  partial  interpolant  ( Equation  2) 
is  not  zero.  Let  a  denote  the  gcd  of  {ai\xi  £  Va\b}- 

(a)  a  is  an  integer  and  a  >  0. 

( b)  Let  (3  be  any  integer  that  divides  a.  Then  the  following  linear  modular  equation  Ip  is  an  interpolant  for 
(AX  =  A',BX  =  B’). 

Ip  :=  biXi  =  c  ( mod  (3) 

Xi&VAB 

Obsetye  that  Ip  contains  only  variables  that  are  common  to  both  AX  =  A!  and  BX  =  If.  It  is  obtained 
from  the  partial  interpolant  ( Equation  2)  by  dropping  all  variables  occurring  only  in  AX  =  A'  (Va\b)  and 
replacing  the  linear  equality  by  a  modular  equality. 

Proof,  (a)  By  lemma  8  each  a,  is  an  integer.  Since  a  is  the  gcd  of  {afx,  £  Va\b},  a  must  be  an  in¬ 
teger.  Also  note  that  a  is  non- zero  since  at  least  one  an  is  non-zero.  By  definition  of  gcd  a  is  positive. 

(b)  To  show  that  Ip  is  an  interpolant  for  (AX  =  A' ,  BX  =  If  ). 

1.  We  need  to  show  that  AX  =  A'  implies  Ip.  Recall,  that  AX  =  A'  implies  the  parti al  interpolant 

R\AX  =  R\A'  from  lemma  3.  We  show  that  R\AX  =  R\A'  implies  Ip. 

From  basic  modular  arithmetic  it  follows  that  s  =  t  implies  s  =  t  (mod  7)  for  any  rational  number  7. 
Thus,  the  parti  al  interpolant  R\AX  =  If  A'  implies  If  AX  =p  R.\A' ,  where  (3  is  any  integer  that  divides 
a.  Consider  the  equation  form  of  R\AX  =3  If  A'  (equation  2): 

y  ciiXi  +  y  biXi  =P  c  (4) 

XiGV^ XieVAB 

By  definition  a  divides  a,  for  all  xt  £  Va\b-  Since  (3  divides  a,  it  follows  that  f3  divides  a*  for  all  xt  £  C4 \B. 
As  Xi  is  an  integer  valued  variable,  ape,  is  divisible  by  (3  for  all  xt  £  Va\b-  It  follows  that 

y  aiXi  =p  0.  (5) 

xi&VA\B 

Subtract  equation  5  from  equation  4  to  obtain 


y  biXi  =P  c. 

XiCPVAB 

The  above  equation  is  Ip.  AX  =  A!  implies  R\AX  =  R\A'  and  R\AX  =  R\A’  implies  equation  4. 
Equation  5  holds  for  any  integral  assignment  to  all  Xi  £  Va\b-  So  R\AX  =  If  A'  implies  equation  5. 
Equations  4,  5  imply  Ip.  It  follows  that  AX  =  A'  implies  Ip. 

2.  We  need  to  show  that  Ip  A  BX  =  B'  is  unsatisfiable.  Assume  for  the  sake  of  contradiction  that 
Ip  A  BX  =  B'  has  an  integral  satisfying  assignment.  Let  the  satisfying  assignment  to  Ip  A  BX  =  If 
be  Xi  =  gi  where  g,  is  an  integer  for  all  x,  £  Vab  U  Vb\a ■  Since  Ip  is  satisfied  by  g,  we  have 

'y  ]  bigi  =p  c 

Xi&VAB 


18 


Thus,  there  exists  an  integer  t  such  that 


y  hgi  +  t{3  =  c  (6) 

Xi&VAB 

The  equation  R2BX  =  R>  B'  is  implied  by  BX  =  B' .  Thus,  the  satisfying  assignment  xt  =  g,  for  all 
%i  £  Vab  U  Vr\a  satisfies  R2BX  =  R2B' .  By  plugging  in  the  values  gi  for  Xi  in  Equation  3  we  get: 

y  em  +  y  fcgi  =  d  (7) 

%x£Vab  xi^^B\A 


We  can  sum  the  equations  6,  7  to  get 

tfd  +  y  (hi  +  ei)gi  +  y  figi  =  c  +  d  (8) 

Xi&VAB  Xi&VB\A 

We  know  that  t.  d  are  integers,  g,  are  integers  for  all  xt  G  Vab  U  Vb\a-  ar|d  from  Lemma  8  it  follows  that 
bi  +  e,.  is  integer  for  x%  G  Vab  and  f  ,  is  integer  for  xt  G  Vb\a-  It  follows  that  the  left  hand  side  of  Equation 
8  is  an  integer.  While  the  right  hand  side  of  Equation  8  is  not  an  integer  by  Lemma  8.  Thus,  the  above 
equation  is  the  required  contradiction.  It  follows  that  Ip  A  BX  =  B'  are  unsatisfiable. 

3.  By  the  definition  of  Ip  it  follows  that  Ip  only  contains  common  variables  of  AX  =  A'  and  BX  =  B' .  □ 
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A.3  Algorithm  for  Computing  Interpolants  for  LDEs 


Algorithm  1  Interpolation  for  Linear  Diophantine  Equations 

Require:  Systems  of  LDEs  AX  =  A'  and  BX  =  B',  AX  =  A1  A  BX  =  B'  is  unsatisfiable. 

Ensure:  Return  an  interpolant  for  (AX  =  A',  BX  =  B') 

1:  [i?i,  R2]  4=  proof  of  unsatisfiability  of  AX  =  A!  A  BX  =  B' 

{R\A  +  R2B  is  integral  and  R 1  A1  +  R2B'  is  not  an  integer} 

2:  PI  R]  AX  =  R.\A’  {PI  represents  partial  interpolant} 

3:  PI  can  be  written  as 

y  aiXi  +  y  biXi  =  c 

Xi&VA\B  Xi&VAB 

{ Vab  C  X  represents  variables  occuring  in  both  AX  =  A',BX  =  B' ,  while  Va\b  ^  A  represents 
variables  occurring  in  only  AX  =  A '} 

4:  if  a,  =  0  for  all  xr  G  VA\  R  then 
5:  return  PI  {Interpolant  is  a  LDE} 

6:  else 

7:  a  4=  gcd{di\xi  G  Va\b}  {a  is  an  integer} 

8:  Let  (5  be  any  integer  that  divides  a.  Let  linear  modular  equation 

Iff  :=  y  hxi  =0  c 
i&VAB 

9:  return  {Interpolant  is  a  LME} 

10:  end  if 


B  Proofs  from  Section  4 

B.l  Proof  of  Theorem  3 

In  order  to  prove  theorem  3  we  reduce  the  given  system  of  LMEs  to  an  equisatisfiable  system  of  LDEs.  We 
then  use  theorem  1  about  the  satisfiability  of  LDEs  in  order  to  complete  the  proof. 


Reduction  of  a  system  of  LMEs  to  an  equisatisfiable  system  of  LDEs 

Suppose  we  are  given  a  system  CX  =/  D  of  linear  modular  equations: 


Cn 

•  •  •  Cln 

"  Xl 

'  dt  ' 

C21 

•  •  •  C2n 

_ | 

d-2 

^ml 

•  •  •  Cmn 

X n 

dm 

c 

"x 
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For  each  equation  ffj  cl3x3  =/  dt  in  CX  =/  D  we  introduce  a  new  integer  variable  vt,  to  obtain  a  new 
equation  (without  modulo),  given  as  follows: 

n 

CijXj  +  hi  =  di 

3= 1 

The  above  equation  is  equi-satisfiable  to  the  linear  modular  equation  ffj  °ijxj  =l  di-  Let  V  denote  the 
vector  of  variables  v\, . . . ,  vrn.  We  call  the  new  system  of  linear  equations  as  C' Z  =  D,  where  Z  denotes 
the  concatenation  of  variable  vectors  X  and  V.  Note  that  C'Z  =  D  is  a  system  of  linear  diophantine 
equations. 


z 


Lemma  9  The  following  are  equivalent: 

(a)  the  system  of  linear  modular  equations  CX  =i  D  has  an  integral  solution 

(b)  the  system  of  linear  diophantine  equations  C'Z  =  D  has  an  integral  solution. 

Proof  The  proof  of  the  above  lemma  is  elementary. 

Theorem  3.  Let  C  be  a  rational  matrix,  D  be  a  rational  column  vector,  and  l  be  a  rational  number.  The 
system  CX  =;  D  has  no  integral  solution  X  if  and  only  if  there  exists  a  rational  row  vector  R  such  that 
RC  is  integral,  IR  is  integral,  and  RD  is  not  an  integer. 

From  lemma  9  and  theorem  1  the  following  arc  equivalent: 

(a)  lineal-  modular  equations  CX  =i  D  has  no  integral  solution 

(b)  lineal'  diophantine  equations  C’  Z  =  D  has  no  integral  solution 

(c)  There  exists  a  row  vector  R  such  that  RC'  is  integral  and  RD  is  not  an  integer. 

We  show  that  the  property  of  R  in  (c)  is  equivalent  to  “(d)  RC  is  integral,  IR  is  integral,  and  RD  is  not  an 
integer”. 

Let  R  —  [n , . . . ,  rm]  then 

m  m  m 

RC'  =  y  rjCji,  y  rjCj2, .  ■  ■ ,  y  rjCin,  In, ...  Jn, ...  ,lrm 

_i=l  i=  1  i=l 

RC  =  [RC,  IR] 

Thus,  RC'  is  integral  if  and  only  if  RC  and  IR  are  integral.  This  shows  (c)  is  equivalent  to  (d).  Thus,  (a)  is 
equivalent  to  (d)  as  required  by  the  proof.  □ 
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B.2  Proof  of  Theorem  4 


Recall  that  Va\b  denotes  the  set  of  variables  that  occur  only  in  AX  =/  A!  (and  not  in  BX  =/  B')  and 
Vab  denotes  the  set  of  variables  that  occur  in  both  AX  =/  A'  and  BX  =i  B' .  The  rational  row  vector 
R  =  [i?i ,  R2]  is  a  proof  of  unsatisfiability  of  AX  =1  A'  A  BX  =1  B'  such  that 


R\A  +  R2B 

is  integral 

(9) 

IR  =  [IRi ,  IR2] 

is  integral 

(10) 

R1A1  +  R2B' 

is  not  an  integer. 

(11) 

Lemma  10  The  coefficient  of  Xi  £  Va\b  ‘n  RiAX  is  an  integer. 

Proof.  By  definition  of  Va\b  the  coefficient  of  Xi  £  Va\b  is  zero  in  R2BX.  Thus,  the  coefficient  of 
Xi  £  Va\b  is  the  same  in  R\AX  and  (R\A  +  R2B)X.  We  know  R\A  +  R2B  is  integral  from  equation  9. 
So  the  coefficient  of  xt  £  Va\b  in  If  AX  is  an  integer.  □ 

Theorem  4.  We  assume  l  f  0.  Let  S\  denote  the  set  of  non- zero  coefficients  of  x^  £  Va\b  in  R\AX. 
Let  S2  denote  the  set  of  all  non-zero  elements  of  row  vector  IR.\.  If  S2  =  0,  then  the  interpolant  for 
(AX  =1  A' ,  BX  =1  B')  is  a  trivial  LME  0  =/  0.  Otherwise,  let  S2  f  0-  Let  a  denote  the  gcd  of  numbers 
in  Si  U  S2.  (a)  a  is  an  integer  and  a  >  0.  (b)  Let  /3  be  any  integer  that  divides  a.  Let  U  =  iRi-  Then 
U AX  =1  U  A'  is  an  interpolant  for  (AX  =1  A! ,  BX  =/  B'). 

Proof.  S2  =  0:  If  S2  =  0  it  follows  that  all  elements  of  l R \  are  zero.  Since  /  /  0,  If  must  be  a  zero  vector. 
It  follows  that  R\  A  is  a  zero  vector  and  If  A'  =  0.  Using  equation  9  and  If  ,4  is  a  zero  vector,  it  follows  that 
R2B  is  integral.  Using  equation  1 1  and  If  A'  =  0,  it  follows  that  II2 B'  is  not  an  integer.  Thus,  BX  =/  B'  is 
itself  unsatisfiable  with  R>  as  the  proof  of  unsatisfiability.  In  this  case  we  can  simply  take  true  as  the  inter¬ 
polant  for  the  pair  (AX  =1  A' ,  BX  =/  B').  The  interpolant  t  rue  can  be  expressed  as  a  trivial  LME  0  =1  0. 


S2  f  0:  We  first  show  that  a  is  an  integer.  Since  Ilf  is  integral  (see  equation  10)  all  elements  of  S2  are 
non-zero  integers.  All  elements  of  Si  are  non-zero  integers  due  to  Lemma  10.  Thus,  Si  U  S2  is  a  set  of 
non-zero  integers.  Since  S2  /  0  there  exists  at  least  one  element  in  Si  U  S2.  a  is  the  gcd  of  the  numbers  in 
Si  U  S2.  So  a  is  a  non-zero  integer  and  by  definition  of  gcd  a  is  positive. 

Let  (3  be  any  integer  that  divides  a.  Note  that  f3  7^  0  as  a  /  0.  We  define 


Ip  :=  UAX  =1  UA'  where 


u=J}R, 


(12) 


We  need  to  show  that  Ip  is  an  interpolant  for  the  pair  (AX  =/  A',  BX  =j  B'). 


(a)  To  show  AX  =/  A'  =a  Ip.  If  we  show  that  U  is  integral,  then  by  lemma  4  it  follows  that  AX  =/  A'  =a 
UAX  =1  UA'  and  thus  AX  =1  A'  =u-  Ip.  We  need  to  show  that  U  is  integral. 

Recall  from  equation  10  that  IR\  is  integral.  By  definition  of  a  it  follows  that  a  divides  every  element 
in  S2  or  the  row  vector  I R 1 .  Since  (3  divides  a,  f3  divides  every  element  in  Ilf.  So  l-jf  =  L  =  (/  is  an 
integral  vector. 
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(b)  To  show  Ip  A  (BX  =;  B ')  is  unsatisfiable.  Observe  that  Ip  A  ( BX  =i  B ')  is  another  system  of  LMEs 


UA 

B 


X=i 


UA' 

B' 


We  show  that  the  row  vector  [f ,  IB]  serves  as  the  proof  of  unsatisfiability  of  Ip  A  (BX  =i  B').  We  will 
check  the  conditions  in  the  definition  of  proof  of  unsatisfiability. 

-  To  show 


UA 

B 


is  integral 


The  above  product  is  equal  to  j(UA)  +  R2B  =  R±A  +  R2B.  By  equation  9  we  know  that  R\A  +  R2B  is 
integral. 


-  To  show  that  Z [ y ,  -R2]  =  [/?,  IR2]  is  integral.  From  equation  10,  I  IB  is  integral  and  /3  is  an  integer  by 
definition. 


-  To  show 


The  above  product  is  equal  to 
is  not  an  integer. 


[f«2] 


UA' 

B > 


is  not  an  integer 


j(U A')  +  R2B'  =  R\A'  AR2B'.  By  equation  11  we  know  that  RiA'  +  R2B' 


We  conclude  that  [j,  R2]  is  a  proof  of  unsatisfiability  of  Ip  A  (BX  =/  B').  Thus,  Ip  A  (BX  =1  B')  is 
unsatisfiable. 


(c)  To  show  that  Ip  only  contains  variables  that  are  common  to  both  (AX  =/  A' ,  BX  =;  B').  Since  Ip  is 
obtained  by  a  linear  combination  of  equations  from  AX  =1  A',  we  can  write  Ip  as  follows: 


V  aiXi  +  V  biXi 


_ . 

i^X a\B 


XiGVAB 


UA ' 


VAX 


(13) 


where  all  coefficients  a*,  bi  and  c  =  UA'  are  rational  numbers. 

We  will  show  that  the  coefficient  a*  of  each  G  Va\b  in  equation  13  is  divisible  by  l.  This  will  in  turn 
show  that 

y  a^i  =1 0  (i4) 

Xi£VA\B 

since  Xi  are  integer  variables.  This  will  allow  Ip  to  be  written  in  an  equivalent  manner  (containing  only 
variables  from  Vab)  as  follows: 

y  biXi=lc. 

Xi&VAB 

We  now  show  that  the  coefficient  a,  of  each  G  Va  b  'n  equation  13  is  divisible  by  l.  Recall,  that 


Ip  :=  U AX  =1  UA'  where 


U  =  —R\  and  (3  divides  a. 

r' 


(15) 
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By  definition  a  divides  every  element  in  Si 

=>  a  divides  the  coefficient  of  each  xy  G  Va\  r  in  R\AX 

=>  (3  divides  the  coefficient  of  each  xy  G  in  R\AX. 

=►  the  coefficient  of  Xi  G  in  ^ R\AX  is  an  integer. 

=4>  the  coefficient  of  Xi  G  Vj\\b  in  l  x  jjRiAX  is  divisible  by  l. 

=4>  the  coefficient  of  Xi  G  Va\b  in  U AX  is  divisible  by  l  (as  U  =  4 ) 

The  coefficient  of  G  in  U AX  is  simply  at  (equation  13).  So  l  divides  a*.  □ 

Degenerate  case  l  =  0.  Let  AX  =i  A'  be  a  system  of  LMEs.  For  l  =  0,  AX  =i  A'  is  equivalent  to  a 
system  of  LDEs  AX  =  A' .  In  order  to  see  this,  consider  an  LME  i  aixi  =o  b.  This  LME  is  satisfied  if 
and  only  if  fPi=\  atxt  —  b  =  0  x  A,  for  some  integer  A.  Thus,  the  LME  =o  b  is  equivalent  to  the 

LDE  Yh=i  aixi  =  b- 

Suppose  AX  =o  A'  A  BX  =o  B'  is  unsatisfiable.  Then  the  interpolant  for  ( AX  =o  A' ,BX  =o  B') 
can  be  obtained  by  computing  the  interpolant  for  the  pair  of  LDEs  (  AX  =  A\  BX  =  B'). 

C  Proof  of  Corollary  1 

Corollary  1.  Given  CX  =  D  where  C,  D  are  rational  matrices,  and  C  has  full  row  rank.  Let  [E  0]  denote 
the  Hermite  normal  form  (HNF)  ofC.  IfCX  =  D  has  no  integral  solution,  then  E~1D  is  not  integral  ( due 
to  lemma  5).  Suppose  the  ith  entry  in  E~1D  is  not  an  integer.  Let  R!  denote  the  ith  row  in  E~l.  Then 

(a)  R' D  is  not  an  integer 

(b)  R'C  is  integral 

Thus,  R'  serves  as  the  required  proof  of  unsatisfiability  of  CX  =  D. 

Proof,  (a)  Follows  from  the  definition  of  R! 

(b)  We  know  that 

CU  =  [E  0] 

where  U  is  a  unimodular  matrix.  Since  E  is  invertible  (by  definition  of  HNF)  we  can  multiply  both  sides  of 
the  above  equation  by  E~l  to  obtain 

E^CU  =  E~\E  0], 

The  above  equation  simplifies  to 

E-lCU  =  [I  0] 

where  I  is  the  identity  matrix.  Since  U  is  unimodular  its  inverse  (C/_1)  exists  and  it  is  a  unimodular  matrix. 
Multiply  both  sides  of  the  above  equation  by  U~ 1  to  obtain 

E~1CUU~1  =  [I  Op-1. 

The  above  equation  simplifies  to 

E~lC  =  [/  Op-1. 

Since  U  1  is  unimodular  the  right  hand  side  of  the  above  equation  has  integral  entries.  Thus,  the  left  hand 
side  E  1 C  is  integral.  In  particular  the  ith  row  in  E~ 1 C  is  integral.  Observe  that  the  ith  row  in  E~ 1 C  is 
simply  R'C.  Thus,  R'C  is  integral.  □ 
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D  Proof  of  Lemma  6 


We  need  to  introduce  cutting -plane  proof  system  [29,  7]  in  order  to  prove  this  lemma.  Suppose  we  arc  given 
a  system  of  integer  linear  inequalities  AX  <  B,  where  A,  B  arc  rational  matrices  and  A'  is  a  column  vector 
of  integer  variables.  The  following  inference  rules  allow  us  to  derive  new  inequalities  that  arc  implied  by 

AX  <  B. 


nonneg_lin_comb :  We  can  take  a  non-negative  linear  combination  of  inequalities  to  derive  a  new  in¬ 
equality. 


AX  <B 
RAX  <  RB 


R>  0 


( R  is  a  rational  row  vector  whose  each  element  is  non-negative.) 


rounding :  If  we  have  a  lineal-  inequality  EX  <  F  such  that  all  coefficients  in  E  are  integers  ( E  6  Zn), 
then  we  can  round  down  the  right  hand  side  F. 


EX  <F 
EX  <  |FJ 


E  €  Zn 


(EX  <  F  in  the  above  rule  represents  a  single  inequality  and  not  a  system  of  inequalities.  E  is  a  row  vector 
containing  n  integers.)  We  say  an  application  of  the  rounding  rule  is  redundant  if  F  =  F\  in  the  above 
inference  rule. 


weak_rhs  :  Given  F  <  F'  and  a  linear  inequality  EX  <  F  we  can  derive  EX  <  F' 


EX  <F 
EX  <  F' 


F  <  F' 


We  say  an  application  of  the  weak.rhs  rule  is  redundant  if  F  =  F'  in  the  above  inference  rule. 


A  cutting  plane  proof  of  an  inequality  EX  <  F  from  AX  <  B  is  a  sequence  of  inequalities  E\X  < 
F\, . . . ,  EiX  <  Fi  such  that 


.1 A  <  B ,  /'.  ]  A  <  /'  | . . . . ,  E{—\X  f  Fi— i 
EiX  <  Fi 


nonneg_lin_comb  or  rounding 


for  each  i  =  1 and  each  step  is  an  application  of  the  nonneg_lin_comb  or  the  rounding  infer¬ 
ence  rules  (Ei, ...  ,Ei  are  rational  row  vectors  and  F| .....  F;  are  rational  numbers).  We  do  not  need  the 
weak.rhs  rule  anywhere,  except  possibly  as  the  last  step  in  a  cutting  plane  proof. 


EiX  <  Fi 

EX  <  F 


E  =  EhFi<F'. 


The  cutting  plane  proof  system  provides  a  sound  and  complete  inference  system  for  integer  linear  in¬ 
equalities.  This  is  stated  formally  in  the  following  theorem. 


Theorem  6  (Schrijver  [29])  We  are  given  a  system  of  integer  linear  inequalities  AX  <  B,  where  A,  B  are 
rational  matrices  and  X  is  a  column  vector  of  integer  variables.  Let  EX  <  F  be  an  inequality,  where  E  is 
a  rational  row  vector  and  F  is  a  rational  number. 
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1.  AX  <  B  has  an  integral  solution  and  AX  <  B  implies  EX  <  F  if  and  only  if  there  is  a  cutting  plane 
proof  of  EX  <  F  from  AX  <  B. 

2.  AX  <  B  has  no  integral  solution  if  and  only  if  then  there  is  a  cutting  plane  proof  of  0  <  —1  from 
AX  <  B. 

We  need  to  prove  the  following: 

Lemma  6:  The  following  are  equivalent: 

1.  A  system  ofLDEs  AX  =  B  implies  a  LDE  EX  =  F 

2.  AX  =  B  has  no  integral  solution  or  there  exists  a  rational  row  vector  R  such  that  E  =  RA  and 
F  =  RB. 


Proof  (2)  =k  (1)  is  straightforward. 

(1)  =>■  (2):  Given  AX  =  B  implies  a  linear  equation  EX  =  F.  If  AX  =  B  has  no  integral  solution  we  are 
done,  that  is,  (2)  holds.  Otherwise,  assume  that  AX  =  B  has  an  integral  solution. 

We  can  write  AX  =  B  as  an  equivalent  system  of  inequalities  AX  <  B  A  —AX  <  —B.  The 
cutting  plane  (CP)  proof  rules  provide  a  complete  inference  system  for  integer  linear  inequalities.  We 
can  write  the  LDE  EX  =  F  as  EX  <  F  A  —EX  <  —F.  The  system  of  linear  inequalities  AX  < 
B  A  —AX  <  —B  implies  EX  <  F  A  —EX  <  —F.  Let  us  consider  the  CP  proof  of  EX  <  F  from  the 
inequalities  AX  <  B  A  —  AX  <  —  B.  We  show  that  the  inference  rules  used  in  this  proof  will  only  involve 
nonneg_linear_comb  rule.  Any  application  of  rounding  or  weak_rhs  rule  will  either  be  redundant 
or  will  lead  to  a  contradiction.  The  later  case  is  not  possible  because  AX  =  B  or  the  equivalent  system  of 
inequalities  has  an  integral  solution. 

Consider  the  first  application  of  rounding  in  the  CP  proof  of  EX  <  F. 


EiX  <  Fi 
EiX  <  [Fi\ 


Ei  6  Zn 


Since  all  the  rules  used  to  derive  E,  X  <  Ft  are  non  negative  linear  combination  rules,  we  can  combine 
all  steps  used  to  derive  EtX  <  Fj  by  a  single  application  of  the  nonneg_lin_comb  rule.  That  is,  we  can 
find  rational  row  vector  [R.\ ,  R/f\  such  that 


A 

-A 

26  < 

B 

-B 

[Ri ,  Rv] 

A 

-A 

X<[RuR2\ 

B 

-B 

EtX  Fi 


[f?i,  Rf\  >  0 


where  R.\ ,  R,2  are  non-negative,  Et  =  It \  ,4  +  R-A— A)  and  F,  =  It  \  B  +  _R2(— B).  We  can  also  derive 
—EiX  <  —Fi  by  taking  a  non  negative  linear  combination  of  AX  <  B  A  —  AX  <  —B  using  [f?2,  i?i].  If 
Fi  =  then  the  application  of  rounding  rule 


EiX  <  Fi 

EiX  <  LFiJ 


Ei  e  zn 


is  redundant.  Otherwise,  let  [F;J  =  k(f  Fi)  and 


EiX  <  Fi 
Et  X  <  k 


26 


Since  [— -FjJ  =  —k  —  1.  We  apply  apply  rounding  to  —EiX  <  —Fi  to  obtain 


-EjX  <  -Fj 
—EiX  <  —k  —  1 


-  Ei  £  Zn 


By  combining  the  above  two  equations  (ElX  <  k  and  —EiX  <  —k  —  1)  we  obtain  an  equation 
0  <  —  1.  But  this  means  that  the  original  system  of  inequalities  AX  <  B  A  —AX  <  —B  has  no  integral 
solution,  which  contradicts  our  assumption.  Thus,  the  first  application  of  the  rounding  rule  in  the  CP 
proof  must  be  redundant.  Using  similar  reasoning  (induction  on  the  length  of  the  proof)  we  can  conclude 
that  all  applications  of  rounding  in  the  CP  proof  must  be  redundant. 

In  the  CP  proof  system  described  above  there  can  be  only  one  application  of  weak.rhs  rule  as  the  last 
step  in  a  CP  proof.  We  now  show  that  the  application  of  weak.rhs  at  the  end  of  the  CP  proof  must  be 
redundant. 


EX  <  FL 
EX  <F 


Fi<F. 


If  Fi  =  F,  then  the  application  of  weak.rhs  is  redundant.  Otherwise,  suppose  /■}  <  F.  Recall,  that 
—EX  <  —F  is  also  an  implied  inequality  of  the  original  system.  We  can  add  —EX  <  —F  and  EX  <  Fi 
to  obtain  0  <  F;  —  F.  Since  F)<  F  we  can  divide  0  <  T)  —  F  by  positive  rational  number  F  —  Fi,  to 
obtain  the  equation  0  <  —  1.  But  this  is  a  contradiction. 

Thus,  the  cutting  plane  proof  of  EX  <  F  can  only  involve  redundant  applications  of  rounding  or 
weak.rhs  rules.  These  applications  of  rounding  or  weak.rhs  rules  can  be  removed  to  obtain  a  deriva¬ 
tion  of  EX  <  F  that  only  involves  nonneg.linear.comb  rule.  All  applications  of  nonneg.linear.comb 
rule  in  a  CP  proof  can  be  combined  to  obtain  a  vector  [Si,  S2]  such  that 


A 

X  < 

B 

-A 

-B 

[Si,s2] 

A 

-A 

X  <  [S, ,  S2] 

B 

-B 

“V  - v' 

EX  F 


[Si,s2]  >0 


where  Si,  £2  are  non-negative,  E  =  Si  A  +  Si(— A)  and  F  =  S\B  +  So  (-B).  (Note  that  a  proof  of 
—EX  <  —F  can  be  obtained  by  taking  a  non  negative  linear  combination  of  AX  <  B.  —AX  <  —B  using 
[S2,  Si].)  Thus,  there  exists  a  rational  vector  R  =  .S']  —  So  such  that  E  =  RA  and  F  =  RB.  This  shows 
(2)  holds.  □ 


E  Proof  of  Lemma  7 

We  use  the  following  result  in  the  proof. 

Theorem  7  (Schrijver  [29])  Let  AX  =  B  be  a  system  of  LDEs,  where  A,  B  are  rational  matrices  and  X 
is  a  column  vector  of  n  integer  variables.  If  AX  =  B  is  satisfiable  ( has  an  integral  solution ),  then  we  can 
find  in  polynomial  time  integral  vectors  Xq  , ,Xt  6  Zn  such  that 

{X |A2l  =  Bj  X  integral }  =  {Xq  T-  AiAi  -T  . . .  T-  AjAi|Ai, . . . ,  At  £  Z} 

with  X\ , ...  ,Xt  linearly  independent.  (We  think  of  X o,  X\, . . . ,  Xt  £  Zn  as  column  vectors.) 
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Example  14  Consider  a  system  of  LDEs  AX  =  B: 


X 

'  2 

6 

3 

'  4  ' 

1 

1 

0 

y 

— 

2 

‘ 

z 

The  set  S  of  solutions  to  AX  =  B  is  given  as: 


f 

'  2  ' 

'  -3  ' 

I 

) 

0 

+  Ai 

3 

Ai  G  Z 

\ 

0 

-4 

1 

2  -  3Ai 
3Ai 
— 4Ai 


Ai  G  Z 


Lemma  7:  Let  AX  =  B  denote  a  system  of  LDEs,  where  A,  B  are  rational  matrices  and  X  is  a  column 
vector  of  integer  variables.  Let  CiX  =  I),  denote  a  LDEfor  1  <  i  <  m  (Ci  is  a  rational  row  vector  and 
Di  is  a  rational  number ).  The  following  are  equivalent: 

1.  AX  =  B  implies  \Jr[f]  CiX  =  Di 

2.  There  exists  a  1  <  k  <  m  such  that  AX  =  B  implies  Cj,X  =  D^. 


Proof  (2)  =>•  (1):  This  direction  of  the  proof  is  straightforward. 

(1)  =>-  (2):  If  AX  =  B  has  no  integral  solution,  then  AX  =  B  implies  any  linear  equation.  Thus,  (2)  holds. 

Assume  that  AX  =  B  has  an  integral  solution.  In  this  case  we  can  use  the  theorem  7  and  write  the  set 
S  of  all  integral  solutions  to  AX  =  B  as 

S  :=  {Ao  +  AiXi  +  . . .  +  AtAt|Ai, . . . ,  At  G  Z} 


where  Aq ,  X]  , . . . ,  Xt  G  Zn  (assuming  A  has  size  n  x  1). 

By  substituting  A  =  Ao  +  AiAi  +  . . .  +  \tXt  (with  Ai, . . . ,  A*  as  symbolic  variables)  in  CiX  —  Di  we 
obtain 

Ci( A0  +  AiAx  +  . . .  +  A* A*)  -  Di. 

Since  Ci  Ao, . . .  ,CiXt  are  scalars  (rational  numbers),  the  difference  CjX  —  Di  for  A  G  S'  is  a  linear 
expression  in  A| . . . . .  A/.  We  denote  the  difference  C,X  —  Di  for  A  G  S  by  dt.  It  follows  that 


3\  =  u\q  +  wnAi  +  . . .  +  uuXt 

di  =  Ui.o  +  UilXl  +  .  .  .  +  UitXf  >  EQ 
dm  =  Umo  +  UmlXl  +  .  .  .  +  UmtXt  , 


where  uVj  arc  rational  numbers,  Ai, . . . ,  Af,  d\, ...  ,dm  arc  symbolic  variables.  An  integral  assignment 
Ai  =  /3i,...,X t  =  /?t  where  G  Z  gives  a  solution  Xp  G  Zn  to  AX  =  B  (Xp  G  S).  If  d% 

evaluates  to  zero  for  Ai  =  /3i , . . . ,  A t  =  Pu  d'on  Xg  satisfies  the  LDE  C,X  =  Di.  Otherwise,  Xp  does  not 
satisfy  the  LDE  C,X  =  Di. 


We  consider  two  cases. 

Case  1:  If  for  some  1  <  k  <  m,  Uko  =  •  •  •  =  Ukt  =  0,  then  5k  =  0.  That  is,  every  A  G  S  satisfies 
Cj.X  =  Dk .  Therefore,  AX  =  B  implies  (fX  =  /)/,•■  In  this  case  (2)  holds. 
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Case  2:  For  all  1  <  k  <  m  there  is  a  0  <  3  <  t  such  that  Ukj  f  0.  We  show  that  case  2  cannot  arise 
using  proof  by  contradiction.  We  will  give  an  algorithm  for  assigning  integral  values  to  A| .....  A/  such  that 
<Ji  /  0, . . . ,  Sm  f  0.  In  other  words,  we  will  show  that  there  exists  an  X'  £  S  such  that  C,X'  /  Dt  for  all 
1  <  i  <  m.  This  will  mean  that  AX  =  B  does  not  imply  \/"A|  CtA'  =  !),,  leading  to  a  contradiction. 

It  is  convenient  to  think  of  expressions  for  S\ , . . . ,  5m  as  a  system  of  equations  in  <5i, . . . ,  Sm,  Ai, . . . ,  A*. 
We  denote  this  system  of  equations  as  EQ. 

We  now  give  an  algorithm  for  assigning  integral  values  to  Ai, . . . ,  A*  such  that  h]  f  0. ... .  S-m  f  0.  Our 
algorithm  will  assign  A,  before  A,+ 1  for  each  1  <  i  <  m  —  1. 

Let  EQq  C  EQ  denote  the  equations  that  do  not  contain  any  variables  Ai, . . . ,  A*.  If  Sk  =  Uk o  is  an 
equation  in  EQq,  then  we  know  that  u/-o  f  0  (by  case  2  assumption).  Thus,  Cj.X  f-  Of.  for  any  X  £  S. 
Alternatively,  AX  =  B  cannot  imply  C^X  =  /T .  We  can  safely  ignore  the  equations  in  EQq  for  the  rest 
of  the  proof. 

Let  EQi  C  EQ  for  1  <  i  <  t  denote  the  set  of  equations  which  contain  only  variables  A  i , ....  A,;  such 
that  the  coefficient  of  A*  is  not  zero  (coefficients  of  Ai, . . . ,  A,_i  can  be  zero). 

We  now  describe  an  algorithm  for  assigning  integer  values  to  A*  for  1  <  i  <  t.  The  algorithm  uses  EQ, 
to  assign  a  value  to  A*.  Suppose  we  have  assigned  integral  values  a±, . . . ,  at-i  to  Ai, . . . ,  A*_i,  respectively. 
If  EQi  =  0,  then  assign  an  arbitrary  integer  value  ai  to  Xl.  Otherwise,  substitute  Ai  =  . . . ,  A,_i  =  a*_ i 

in  EQi  to  obtain  a  system  of  equations  EQ',-.  A  representative  equation  in  EQ \  is 

A  —  n;o  E  uH  Xi  uu  0 

where  is  a  rational  number  and  uu  is  a  non-zero  rational  number  by  definition  of  EQi.  We  want  to  assign 
A i  such  that  Si  ^  0  for  every  equation  S\  =  vio  +  ;ui,  X,  in  EQ\.  This  can  be  done  by  assigning  A,  any  integer 
value  that  is  different  from  XHo  _  Let 

^ li 


Xi  :=  ai  where  ai  €  Z  and  ^  <  — — 1 1  £  EQ't 

t  'U'li 

where  l  £  EQ \  is  a  short  form  of  saying  that  equation  Si  =  viq  +  uuX,  is  in  EQ\.  We  can  always 
find  a  suitable  a,  because  the  set  of  integers  has  infinite  cardinality  (and  we  have  a  finite  set  of  rational 
numbers/integers  that  cannot  be  assigned  to  AO- 

Let  Si  =  u/o  +  Y^j= l  ulj^j  denote  an  equation  in  EQ]  U  . . .  U  EQ,.  The  following  invariant  holds  after 

A i  is  assigned  a^:  if  Ai  =  a±, . . . ,  A i  =  a*  is  substituted  in  Si  =  uiq  +  Y^j= i  ulj^j>  then  Si  /  0. 

Thus,  once  we  have  assigned  Ai  =  a\, . . . ,  Xt  =  at  using  the  above  algorithm  we  have  hi  /  0, . . . ,  Sm  / 
0.  Let  X’  £  S  be  an  integral  solution  to  AX  =  B  given  by  Ai  =  a±, . . . ,  At  =  a*.  Then  h*  =  CxX'  —  Di  / 
0  for  each  1  <  i  <  m.  That  is,  /I  A'  =  B  does  not  imply  V ”A !  C,  X  =  Di,  leading  to  a  contradiction.  Thus, 
Case  2  cannot  arise.  □ 


F  Proof  of  Theorem  5 

In  addition  to  lemmas  6,7  we  will  use  the  following  theorem. 

Theorem  8  (Schrijver  [29])  Let  Abe  a  rational  matrix,  B  be  a  rational  column  vector,  C  be  a  rational  row 
vector.  Assume  that  the  system  AX  =  B  has  a  rational  solution.  Then  AX  =  B  implies  (over  rationals) 
CX  =  D  if  and  only  if  there  is  a  row  vector  R  such  that  RA  =  C  and  RB  =  D. 
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Theorem  5.  Let  F  denote  AX  =  B  A  A”=i  CiX  f  F)%.  The  following  are  equivalent: 

1.  F  has  no  integral  solution 

2.  F  has  no  rational  solution  or  AX  =  B  has  no  integral  solution. 

Proof.  (2)  (1)  is  straightforward. 

(1)  =$■  (2):  Given  F  has  no  integral  solution.  If  AX  =  B  has  no  integral  solution,  then  (2)  holds.  Otherwise, 
assume  AX  =  B  has  an  integral  solution.  Since  F  has  no  integral  solution,  every  integral  solution  to 
AX  =  B  must  satisfy  C\X  =  Di  for  some  1  <  i  <  m.  That  is, 

m 

AX  =  B=>\J  CjX  =  Di 

i= 1 

By  lemma  7  it  follows  that  there  exists  a  1  <  k  <  m  such  that 

AX  =  B  =>  CkX  =  Dk 

By  lemma  6  (and  our  assumption  that  AX  =  B  has  an  integral  solution)  it  follows  that  there  exists  a  rational 
row  vector  R  such  that 

Ck  =  RA  and  Dk  =  RB 

Using  the  vector  R  and  theorem  8  we  can  conclude  that  AX  =  B  implies  CkX  =  Dk  over  rationals.  So 

AX  =  B  A  CkX  f  Dk 


is  unsatisfiable  over  rationals,  or 

m 

AX  =  B  A  /\  CiX  f  Di 

i=l 

is  unsatisfiable  over  rationals.  Thus,  F  is  unsatisfiable  over  rationals  and  (2)  holds.  □ 


G  Interpolants  for  Linear  Diophantine  Equations  and  Disequations  (LDEs+LDDs) 

We  use  the  following  theorem. 

Theorem  9  (Schrijver  [29])  Let  Abe  a  rational  matrix,  B  be  a  rational  column  vector.  The  system  AX  = 

B  has  no  rational  solution  if  and  only  if  there  exists  a  rational  row  vector  R  such  that  RA  =  0  and  RB  0. 

Let  TAGbe  systems  of  LDEs+LDDs. 

F  :=  AX  =  B  A  /\  QX  f  Di 

i 

G  ■=  A'X  =  B'  A  f\C'jX  f  Dfj 
j 

F  AG  represents  another  system  of  LDEs+LDDs.  Suppose  F  A  G  is  unsatisfiable  (no  integral  solution).  In 
this  case  we  want  to  compute  an  interpolant  for  the  pair  (F,  G).  We  divided  this  problem  into  two  cases  in 
Section  6.  We  describe  Case  1  below. 
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By  case  1  assumption  we  know  that  F  A  G  has  no  rational  solution.  We  want  to  compute  an  interpolant 
for  (F,  G).  The  interpolant  for  (F.  G)  can  be  obtained  by  using  the  techniques  discussed  in  [24,  33,  28,  10]. 
For  completeness  we  show  how  to  obtain  an  interpolant  for  ( F ,  G)  by  considering  three  sub-cases. 

Case  1.1:  AX  =  B  A  A'X  =  B'  has  no  rational  solution.  Using  theorem  9  there  exists  a  row  vector 
[R\ ,  i?2]  such  that 


R\A  +  R2A'  =  0 
R\B  +  R2B'  7^  0 

In  this  case  an  interpolant  for  the  pair  (F,  G)  is  the  linear  equation  R\AX  =  R\B.  One  can  verify  that 
R\AX  =  R.\B  satisfies  all  the  conditions  required  by  the  definition  of  interpolants. 

We  describe  Case  1.2  and  Case  1.3  next.  Since  F  A  G  is  unsatisfiable  over  rationals  we  have 

AX  =  BA  A'X  =  B'  =>  (\J  CiX  =  Di  V  \J  CjX  =  D) )  (16) 

i  3 

The  above  implication  holds  for  any  rational  X.  We  know  that  if  a  set  of  rational  linear  arithmetic  con¬ 
straints  T  imply  a  disjunction  of  linear  equations  V'=i  then  for  some  1  <  k  <  m,T  implies  Eq This 
is  due  to  convexity  of  rational  linear  arithmetic  [25]. 

Due  to  convexity  AX  =  B  A  A'X  =  B'  will  imply  either  an  equality  belonging  to  \Ji  CiX  =  Di  or  an 
equality  belonging  to  \J  ■  CjX  =  D'-  in  equation  16.  This  gives  Case  1.2  and  Case  1.3. 

Case  1.2:  For  some  j,  AX  =  B  A  A'X  =  B'  =>  CjX  =  D'y 
Using  theorem  8  there  exists  a  row  vector  [R.\ ,  i?2]  such  that 

RXA  +  R2A'  =  C'j 
R1B  +  R2B'  =  D'y 

In  this  case  an  interpolant  for  ( F ,  G)  is  the  linear  equation  Il\AX  =  RiB.  One  can  verify  that  R\AX  = 
R\B  satisfies  all  the  conditions  required  by  the  definition  of  interpolants. 

Case  1.3:  For  some  i,  AX  =  B  A  A' X  =  B'  =^-  CtX  =  Di. 

In  the  above  two  cases  (1.1  and  1.2)  the  interpolant  is  a  linear  equation.  In  this  case  the  interpolant  will  be  a 
lineal-  disequation.  Using  theorem  8  there  exists  a  row  vector  [i?i,  i?2]  such  that 

R1A  +  R2A'  =  Ci 
R\B  +  R2B'  =  Di 


Let  Vfg  denote  the  variables  that  occur  in  both  F  and  G  and  let  Vp\c  denote  the  variables  that  occur  only 
in  F  (and  not  in  G). 

Observe  that  R\AX  =  R 1 B  can  be  written  as  follows: 

Y.  a-iXi  +  Y  biXi  =  k 

Xi&vFG 
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Similarly,  C,X  =  Di  can  be  written  as  follows: 

y  aiXi  +  y  axi  =  Di 

xi€Vp\a  xi&VFG 

Observe  that  the  variables  Xi  G  Vf\g  have  same  coefficients  in  R\AX  and  C,X.  This  is  because 
C{  =  R.\A  +  II)  A'  and  the  coefficients  of  xr  G  Vr\c  in  R^A'X  is  zero. 

We  can  write  C,X  /  I),  as 

^  '  &iXi  -p  ^  '  CjXj  7^  Dj 
xi€Vp\a  xi&VFG 

Note  that  F  implies  R\AX  =  R\B  and  C,X  /  Di.  Thus,  F  implies  the  disequation  obtained  by 
subtracting  R\AX  =  R\B  and  C,X  /  Di. 

^  '  biXi  ^  '  QXj  T  />' 

XiGVpG  XiGVpa 

The  above  equation  is  the  required  interpolant.  It  it  implied  by  F  and  only  contains  variables  common 
to  F ,  G.  One  can  show  that  above  disequation  is  R2A' X  /  R2B' .  Since  G  implies  R2A'X  =  R2B1  the 
above  equation  is  unsatisfiable  with  G. 

H  Handling  of  Linear  Modular  Disequations 

Lemma  11  The  problem  of  deciding  whether  a  system  (conjunction)  of  linear  modular  disequations  (LMDs) 
have  an  integral  solution  is  NP-hard. 

Proof.  We  reduce  a  well  known  NP-hard  problem  3-SAT  to  a  system  of  LMDs  denoted  by  C.  Let  the 
variables  in  3-SAT  problem  be  z\, ... .  zn.  For  each  variable  Zi  in  the  3-SAT  problem  we  introduce  two 
integer  variables  x,  and  x\  in  C,  where  xt  represents  the  literal  z;  and  x\  represents  the  literal  z,. 

The  modulus  of  LMDs  in  C  will  be  four.  We  first  express  the  constraints  that  x%  =4  1  and  x\  =4  0  or 
Xi  =4  0  and  x\  =4  1.  This  done  by  means  of  the  following  LMDs. 

n  n  n 

Ci  :=  f\  -.(xi  =4  x'f)  A  f\  -)(xi  =4  2)  A  f\ -.(x*  =4  3)  A 

i= 1  i= 1  i= 1 

n  n 

A  X'i  =4  2)  A  A  ^(X'i  =4  3) 

i=l  i= 1 

Now  consider  any  clause  u  V  v  V  w  in  the  given  3-SAT  formula,  where  u,v,w  G  {z\, . . . ,  zn,  zi, . . . ,  znj. 
Let  S(u )  map  the  literal  u  to  the  corresponding  variable  in  C.  For  each  clause  11  V  v  V  w  in  the  3-SAT 
formula,  we  generate  the  following  LMD 

-i(5(n)  +  5(v)  +  5(w)  =4  0). 

The  LMD  above  is  falsified  only  when  <5(u),  5(v),5(w)  are  assigned  0  (mod  4).  For  all  other  assignment  of 
values  5(u),  5(v),  5(w )  the  LMD  is  satisfied  (captures  the  semantics  of  the  clause). 
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Let  the  set  of  clauses  in  the  3-SAT  formula  be  C. 


jC-2  :=  f\  — i(<5(w)  +  5(v)  +  5(w)  =4  0) 

(uVvVw)eC 

Let  C  =  jC\  A  C-2 .  Observe  that  the  3-SAT  formula  is  satisfiable  if  and  only  if  C  is  satisfiable.  The  reduction 
from  the  given  3-SAT  formula  to  C  is  polynomial  time.  This  establishes  the  NP-hardness  of  checking  the 
satisfiability  of  conjunctions  of  LMDs.  □ 


H.l  Proofs  of  unsatisfiability  and  interpolants  for  LMDs 

We  can  reduce  a  system  of  LMDs  or  LMEs+LMDs  to  a  conjunction  of  atomic  formulas  in  integer  linear 
arithmetic  (both  problems  are  NP-hard)  and  use  the  cutting-plane  proof  system  to  obtain  a  proof  of  unsatis¬ 
fiability.  Pudlak’s  [27]  algorithm  can  be  used  for  obtaining  interpolants. 


I  Obtaining  polynomially  sized  cutting-plane  proofs  for  LDEs 


Given  an  unsatisfiable  system  of  LDEs  AX  =  B,  a  proof  of  unsatisfiability  is  a  rational  row  vector  R  such 
that  RA  is  integral,  while  RB  is  not  an  integer.  We  know  that  R  can  be  obtained  in  polynomial  time. 

We  show  that  using  R  we  can  obtain  a  polynomially  sized  cutting  plane  proof  of  unsatisfiability  of 
AX  =  B.  The  cutting  plane  proof  system  was  described  in  Appendix  D.  It  consists  of  three  inference  rules 

nonneg_lin_comb,  rounding  and  weak_rhs. 

We  first  write  R  =  ,5]  —  S2,  where  both  .S]  ,  S2  are  non-negative  row  vectors.  For  example,  we  can  write 

[i,-f]  =  [i,0]-[0,|]. 

We  write  AX  =  B  as  AX  <  B  A  —  AX  <  —  B.  The  cutting  plane  proof  of  unsatisfiability  consists  of 
following  steps. 


AX  <B 
Si  AX  < 


51  >  0 


nonneg_lin_comb 


—AX  <  -B 

-s2ax  <  -s2b 


s2  >  0 


nonneg_lin_comb 


SxAX  <  SiB  -  S2AX  <  -S2B 
[5i  -  S2\AX  <  [5i  -  S2]B 


nonneg_lin_comb 


Since  R  =  [S\  —  S2]  we  can  write  the  above  step  as 


SiAX  <  SiB  -  S2AX  <  -S2B 
RAX  <  RB 


nonneg_lin_comb 


Multiplying  AX  <  Bby  S2  and  —AX  <  —B  by  ,3j  we  can  derive 


S2AX  <  S2B  -  S\ AX  <  -SiB 
—RAX  <  —RB 


nonneg_lin_comb 


By  definition  of  R  we  know  that  RB  is  not  an  integer.  Let  [_ RB\  =  k.  Then  [—RB J  =  —k  —  1.  Since  RA 
is  integral  we  can  apply  rounding  to  RAX  <  RB  and  —RAX  <  —RB. 

RAX  <  RB 


RAX  <  k 


rounding 


-RAX < -RB 
RAX  <  —k  —  1 


rounding 


The  contradiction  is  obtained  by  summing  RAX  <  k  and  RAX  <  —k  —  1. 


RAX  <  RB  -  RAX  < -RB 
0  <  -1 


nonneg_lin_comb 


Since  R  is  polynomially  sized  the  cutting  plane  proof  is  also  polynomially  sized. 


J  Using  SMT  solvers  for  obtaining  a  proof  of  unsatisfiability  for  LDEs/LMEs 

We  can  determine  if  a  system  of  LDEs  CX  =  D  is  unsatisfiable  and  obtain  a  proof  of  unsatisfiability  (if 
applicable)  by  using  decision  procedures  for  (mixed)  integer  linear  arithmetic  in  a  black-box  fashion.  For 
example,  one  can  use  modern  SMT  solvers  such  as  Yices  [4]  to  obtain  proofs  of  unsatisfiability.  The  idea  is 
to  encode  the  existence  of  a  rational  row  vector  R  such  that  RC  is  integral  and  RD  is  not  an  integer  in  form 
of  a  formula  that  can  be  checked  using  existing  decision  procedures.  This  is  motivated  by  the  idea  proposed 
in  [28]  for  real  and  rational  linear  arithmetic.  We  illustrate  the  technique  by  means  of  an  example. 

Example  15  Consider  the  system  of  LDEs  CX  =  D: 

'1-2  O' 

1  0  -2 

We  use  two  rational  variables  rq ,  r2  to  denote  the  proof  of  unsatisfiability  R  =  [rq ,  r2] .  We  use  three  integer 
variables  v i ,  rq ,  rq  to  express  the  constraint  that  RC  is  integral.  We  introduce  another  integer  variable  rq  to 
express  the  constraint  that  HI)  =  r 2  is  not  an  integer. 

P  :=  (vi  =  rq  +  r2)  A  (v2  =  —  2ri)  A  (v3  =  -2 r2)  A  (rq  <  r2)  A  (r2  <  rq  +  1) 

If  the  decision  procedure  for  integer  linear  arithmetic  determines  that  P  is  satisfiable,  then  we  get  a  proof  of 
unsatisfiability  for  CX  =  D  by  looking  at  the  assignments  to  rq,  r2.  If  P  is  unsatisfiable,  it  means  that  the 
system  CX  =  D  is  satisfiable. 

We  formalize  the  idea  below.  Suppose  the  sizes  of  C,  X .  D  in  the  system  of  LDEs  CX  =  D  arc 
m  x  n,  n  x  1,  m  x  1,  respectively.  The  formula  P  contains: 

-  m  rational  variables  n , ...  ,rm  such  that  R  =  [n , . . . ,  rm\ 

-  n  integer  variables  v  1 .... ,  vn  to  express  that  each  element  of  RC  is  integral. 

-  One  integer  variable  vn+  \  to  express  the  constraint  RD  is  not  an  integer  by  using  two  strict  inequalities 
Let  ( RC)i  denote  the  ith  element  in  the  row  vector  RC.  Then  we  have 

n 

P  :=  f\vi  =  ( RC)i  A  (vn+1  <  RD)  A  (RD  <  vn+i  +  1) 

i= 1 

The  formula  P  is  given  to  a  SMT  solver.  If  P  is  satisfiable,  we  get  the  required  proof  of  unsatisfiability  R. 
Otherwise,  we  know  that  the  given  system  of  LDEs  is  satisfiable. 


x 

y 

z 
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The  proof  of  unsatisfiability  for  a  system  of  linear  modular  equations  can  be  computed  in  a  similar 
manner  as  well  (using  definition  3). 

As  shown  by  experimental  results  in  Section  7,  the  black-box  use  of  SMT  solver  Yices  to  obtain  proofs 
of  unsatisfiability  is  not  efficient  (as  compared  to  the  use  of  HNF).  The  main  reason  for  this  seems  to  be  the 
structure  of  P.  Even  though  the  encoding  used  to  obtain  P  is  natural,  it  is  difficult  for  algorithms  used  in 
Yices  to  decide  P. 
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